Hacking attempts on port 25

By alphamale
in Microsoft (Windows)

 Share

Recommended Posts

Community Regular

alphamale

Posted
Posted

hello

my logs show about 2600 failed logon attempts during a 1 hour period. looking in the firewall logs and comparing them to the security logs on the server we can see that port 25 was used. we can also see where they were using names like olivia, lisa or what ever to login.

so we went to port 25 and telnet-ed in and issued a helo and the server responded with

"Identifiers"

ehlo

250-server shows Hello [iP shows]

250-TURN

250-SIZE

250-ETRN

250-PIPELINING

250-DSN

250-ENHANCEDSTATUSCODES

250-8bitmime

250-BINARYMIME

250-CHUNKING

250-VRFY

250-X-EXPS GSSAPI NTLM LOGIN

250-X-EXPS=LOGIN

250-AUTH GSSAPI NTLM LOGIN

250-AUTH=LOGIN

250-X-LINK2STATE

250-XEXCH50

so are they likely trying to login using AUTH=LOGIN?

i dont see a way but i will ask is there a way to stop that?

i know that email can be spoofed using telnet but my take on this was they were using a logon.

anyone with a idea of wtf were they attemping or information that may help me with this?

Link to comment
https://www.neowin.net/forum/topic/939640-hacking-attempts-on-port-25/
Share on other sites
Grand Master

Farstrider

Posted
Posted
  On 20/09/2010 at 20:37, hdood said:

If you run any sort of server, you can expect thousands of probes, attempted logins, attempted exploits, attempted spam relaying, and so on every day. It's completely normal, fully automated, and happens to everyone.

Agreed, it's not like this is an earth shattering event or that "your" PC is being targeted because it has state secrets on it! :laugh: :laugh:

Veteran

bruNo_

Posted
Posted
  On 20/09/2010 at 20:57, Joseph B said:

^This.

It never hurts to make sure it isn't frequently coming from the same IP.

Yeah, obviously if it's being tried to be used to send SPAM it won't come always from the same IP, but if you just noticed it happening now you can block these IP addresses. A good hint too is to use a SPAM firewall like I use here at work, Barracuda now has a virtual appliance. (Y)

Community Regular

alphamale

Posted
  • Author
Posted

Yea, i need the email service. its not really used a lot. used by the business application line to send invoices and reminder cards once a month to customers. which is super important but its not used to support a bunch of users.

i just wanted to understand what the guy was doing. i see the scans from time to time on other ports like 3389 and am not a nervous nelly. but why would someone pick port 25 to logon with. after a good nights sleep i guess the obvious... he was looking for an email account to hit. users often have poor passwords and he was using regular names per the logs and likely using simply passwords.

he just did not know that would not fly here.

thanks for your input. i am good now.

Grand Master

JMann Veteran

Posted
  • Veteran
Posted (edited)
  On 20/09/2010 at 22:07, bruNo_ said:

I really recommend you Barracuda Spam Firewall to do it.

Can't recommend Barracuda enough, the costs of it are high but as a hardware spam solution it works fantastically. (Y) As for why they would target port 25 specifically would probably be to find out if your server as someone mentioned above can be an open relay to send spam through. They will try muiltiple username/passwords to try and authenticate the outbound sending (that is, if it requires authentication :pinch:).

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

Barracuda appliance is very nice. The 300 integrates with exchange/active directory. The 100 and 200 do not and require u to add users to the appliance manually. I am a barracuda reseller.

Gfi has a mail essentials program that u can install on a server for spam filtering. There are a few other softwares that do this on the exchange or gateway level.

Grand Master

hdood

Posted
Posted
  On 21/09/2010 at 11:45, alphamale said:

he just did not know that would not fly here.

You make it sound like it's a person sitting there trying to target you specifically. That virtually never happens. They're automated bots that crawl the net. If they find something, they log it. If you hit a million systems, sooner or later you find something. All the failed attempts make no difference, it doesn't waste their time or anything.

Grand Master

JMann Veteran

Posted
  • Veteran
Posted
  On 21/09/2010 at 13:02, sc302 said:

Barracuda appliance is very nice. The 300 integrates with exchange/active directory. The 100 and 200 do not and require u to add users to the appliance manually. I am a barracuda reseller.

Gfi has a mail essentials program that u can install on a server for spam filtering. There are a few other softwares that do this on the exchange or gateway level.

We have used GFI a couple times as a software solution, but if on the network there is a lot of e-mail traffic we have found it not to work very well and tends to fall over. Hence why for larger networks we now supply Barracuda's as a hardware solution which works much better. Plus the interface of the Barracuda is brilliant, the logging is much better than Exchange Message Tracker. ;)

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

Don't get me wrong the barracuda is a better product by far, gfi isn't a bad solution for a small user base and u have the hardware to support it. Even with the barracuda vmware version you don't give it enough resources it will fall over. I have had 2 barracuda spam firewall 100's fall on their faces.

Grand Master

Panacik

Posted
Posted

I remember seeing lots of attempts when i was running an FTP at home. it was fun watching the bots try to log in with username "admin" and password "password".

One time i actually changed the username and password to that to see what would happen... last time i ever try that! lol.

Grand Master

+John Teacake MVC

Posted
  • MVC
Posted
  On 21/09/2010 at 13:02, sc302 said:

Barracuda appliance is very nice. The 300 integrates with exchange/active directory. The 100 and 200 do not and require u to add users to the appliance manually. I am a barracuda reseller.

Gfi has a mail essentials program that u can install on a server for spam filtering. There are a few other softwares that do this on the exchange or gateway level.

I should come to you for a price then ;) We are going to purchase another one for work soon!

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted
  On 21/09/2010 at 17:44, Storm said:

I want a price too sc302 ;)

I'd have to check, I am not sure if I can sell to the UK. What model are you interested in? I have to see if there are any rebates, if not prices are going to be the same as the website. Sometimes they offer rebates where I can sell it for a discount.

the 300 starts Active Directory integration. The 300 is 2000 for the appliance, 1 year updates is 500, and 1 year instant replacement is another 500. So you are looking at somewhere around 3000 for a 300 that has active directory integration, you can go up to 5 years for both which would put you in the neighborhood of $5500-$6000. This is in USD.

If you want something opensource, barracuda wrote some of the code for spamassassin.

Mentor

cybertimber2008

Posted
Posted

If it's a linux server, install the "deny hosts" package and service.

It will check for login failures of any time (FTP, telnet, SSH, SMTP) and block any that continue to fail. Blocked by IP, automatically.

I like getting the logs of all the blocked attempts :3

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.