The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Brute force attacks on the SMTP

Discussion in 'Security' started by sehh, Dec 10, 2012.

  1. sehh

    sehh Well-Known Member

    Joined:
    Feb 11, 2006
    Messages:
    579
    Likes Received:
    5
    Trophy Points:
    18
    Location:
    Europe
    In the past 6 months we've seen an increased brute force attack on the SMTP (exim in this case), which has evolved into a bit more sophisticated variant than before.

    First of all, the attacker is using multiple systems that share data between them about the attack and thus one system picks up from where the previous system left off (like when the IP address gets blocked, etc).

    I'm writting this, in case anyone else would like to monitor these attacks. I've come up with the following way to do this:

    Code:
    tcpdump -A -n -s 1500 dst port 25
    
    The above command uses tcpdump to monitor connections to port 25 (exim) and filters packets based on a few strings that I thought are useful.

    The output looks like this:

    Code:
    20:47:16.431741 IP 66.64.240.218.8119 > your.ip.address.smtp: P 99:124(25) ack 655 win 64881
    E..A%.@.p...B@..EI........<d..X.P..q....AUTH LOGIN ZmVyZ3Vzb24=
    
    20:47:16.577650 IP 66.64.240.218.8119 > your.ip.address.smtp: P 124:142(18) ack 673 win 64863
    E..:&.@.p...B@..EI........<}..X.P.._....ZmVyZ3Vzb24xMjM=
    
    The above is explained as: client sends AUTH LOGIN username (server replies with a 334 command but not seen here because we told tcpdump to show only incoming commands) and then sends password. Both username and password are base64 encoded. Now, you have to decode the two strings with the base64 command:

    Code:
    echo 'ZmVyZ3Vzb24=' | base64 -d
    ferguson
    echo 'ZmVyZ3Vzb24xMjM=' | base64 -d
    ferguson123
    
    Thus, the client IP address 66.64.240.218 is testing username "ferguson" with password "ferguson123".

    Another client is testing the username "eric" with the following combinations of passwords:
    eric
    eric1
    eric123
    (etc)

    I hope this is helpful to others. If anyone knows how to run base64 in real-time while tcpdump is running, it would be nice to post it. Also helpful is to target the login procedure without having to watch the rest (data commands etc).
     
  2. keddie

    keddie Well-Known Member

    Joined:
    Nov 17, 2007
    Messages:
    50
    Likes Received:
    0
    Trophy Points:
    6
    This is a really useful post, thank you for the information re: tcpdump.

    I'm also seeing an increase in the frequency and sophistication of SMTPAUTH attacks. I have one ongoing at the moment following the pattern you're describing, where one host gets blocked, another is picking up where it left off.

    The current attack has been going on for around 8 hours. Fortunately, CSF is taking it in it's stride and progressively banning the IPs with little additional load on the server.
     
Loading...

Share This Page