Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Brute force attacks on the SMTP

Discussion in 'Security' started by sehh, Dec 10, 2012.

  1. sehh

    sehh Well-Known Member

    Feb 11, 2006
    Likes Received:
    Trophy Points:
    In the past 6 months we've seen an increased brute force attack on the SMTP (exim in this case), which has evolved into a bit more sophisticated variant than before.

    First of all, the attacker is using multiple systems that share data between them about the attack and thus one system picks up from where the previous system left off (like when the IP address gets blocked, etc).

    I'm writting this, in case anyone else would like to monitor these attacks. I've come up with the following way to do this:

    tcpdump -A -n -s 1500 dst port 25
    The above command uses tcpdump to monitor connections to port 25 (exim) and filters packets based on a few strings that I thought are useful.

    The output looks like this:

    20:47:16.431741 IP > your.ip.address.smtp: P 99:124(25) ack 655 win 64881
    E..A%.@.p...B@..EI........<d..X.P..q....AUTH LOGIN ZmVyZ3Vzb24=
    20:47:16.577650 IP > your.ip.address.smtp: P 124:142(18) ack 673 win 64863
    The above is explained as: client sends AUTH LOGIN username (server replies with a 334 command but not seen here because we told tcpdump to show only incoming commands) and then sends password. Both username and password are base64 encoded. Now, you have to decode the two strings with the base64 command:

    echo 'ZmVyZ3Vzb24=' | base64 -d
    echo 'ZmVyZ3Vzb24xMjM=' | base64 -d
    Thus, the client IP address is testing username "ferguson" with password "ferguson123".

    Another client is testing the username "eric" with the following combinations of passwords:

    I hope this is helpful to others. If anyone knows how to run base64 in real-time while tcpdump is running, it would be nice to post it. Also helpful is to target the login procedure without having to watch the rest (data commands etc).
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. keddie

    keddie Well-Known Member

    Nov 17, 2007
    Likes Received:
    Trophy Points:
    This is a really useful post, thank you for the information re: tcpdump.

    I'm also seeing an increase in the frequency and sophistication of SMTPAUTH attacks. I have one ongoing at the moment following the pattern you're describing, where one host gets blocked, another is picking up where it left off.

    The current attack has been going on for around 8 hours. Fortunately, CSF is taking it in it's stride and progressively banning the IPs with little additional load on the server.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice