Results 1 to 2 of 2
  1. #1

    Question Some sort of new SMTP DoS attack ?

    Hey guys, i just came up with this thing happening on one of my servers. I have never seen it before. The ips seem to be spoofed, since i took a tcpdump and some of the ips that appear in the exim_mainlog, don't appear in the dump, however i am not sure how to go about this.

    It doesn't really do anything, the server doesn't go down, but i just don't like shady stuff happening at all.

    Anybody seen this before?

    2013-09-27 06:48:16 SMTP syntax error in
    "/\275\377z\005:\233\vH8\032\f\364K<~\3104\030\r\030\231\260\rW\227\322\177\230\225\256\016\347\371F\017\007\364\252\020\346 \002\210e\360\250\021\367X\\021@\213\364\021\241\307\377\2037\317\225\204\007\270q\023\266\313\223\205\237\311\022\206\313\262\221\206\033\027\207\025 Z\025\006\026\233\023\205\026?\016\351\027\035\200\200\227\233p?\031S\204*\225\355p\274\212<\325\261\031|\3230\032\275A\255\232\376\317.\033Th\340\033 1/+\035\316\340\302\234\300\221B\036\361!n\232\362\215@\037f\037l\233-\244p\237nb\357\237\257\360p \004\357\357 2\355n!\177Q\007"\300O\206"\021N\005#BL\204#\203J\003$\321\256\233$\022\255\032%S\253\231%\241\0172&\342}\256\246\360 \323\230\002VY\244+\377\330\244\027m\306(4\333B\251\221f\251*\315\336\354\246\334\214s\247\271X\354\247J\261j\250\301T\352\250E(\326-V)p-\227'\357-\330%n.&\212\006/g\210\205/\250\206\0040\351\204\20307\351\0331x\347\2321\271\345\0312\007J\2622HH13\211F\2603\312D/4\030Y\305\264Y\247F5\232\245\3055\333\243D6)\b\3356j\006\7[\001\3008\354\002Z8,\001\3318\223S\002\266\274\361\201\266\374ao:8\356\177\267\261\232\027\270\234\255\226\270>\276i=]%\035=\264#\235=\336!\033>\037 \232>m\2042?\256\202\261?\357\[email protected]\177\257@~\343GA\277\341\306A?\340EBA\336\304B\202\334CC\320@\334C\021?[DR=\332D\223;YE\341\237\361E"\236pFc\234\357F\261?\210G\362\376\006H3\375\205H\201a\036I\302_\235I\003^\034JD\\233J\205Z\032K\323\276\262K\024\2751LU\ 273\260L\226\271/M\344\035\310M%\034GNf\032\306N\247\030EO\365|\335On{\P\232y\333P\333wZQ\346\330.RG\332qR\210\330\360R`\017" H=[109.86.30.113]:1365 I=[MY_IP]:25 NULL character(s) present (shown as '?')
    2013-09-27 06:48:16 SMTP syntax error in "\1770\026"c\306\361n\251;\020B\204\333Z\300Y0\031q\301\323\204\v\030ZTHo\340#\205\300\033g\364\260\220KS\233\323\207Z\222\001\270g\3064ksws\331}_\265 `\203V\343\220\220\375g\376\352\001\357\341\336\274\205N\316\203\007\257\303<\225M\266\177*\202\245:\301\356\224\304=\314\213B\317\265|\300`\237m{\367 \v]\005t\351S \373\314G\r\202\260;\020]U+\314\237?\037\223!a\024\213\275P\002\311\377xR\315\206\F\016\023\3038\311\251/(O;\031\031\016\275y\016\341)\316 S\320\303\364?sn\341\036\331\007\336\245\236\240\323\335\366W\301[\210A\262\331\031+\243c\226\b\232\337\036$\216\234\276^zv\177tq\355\274\234f\234h\025P\032\372\376@\034x\0248k\370<-\335\2362\030[0\034 \234\274\202\373&9`\362[\332\322\336Sv\302\314\335\362\237\303*j\372\273\331\025s\245\vm\247\357\322\356\007\345Z\334\211\263\252\\352\250\242\370\331\226\246\177\275\2120\37 4\232\201\337\247\023k 4z]\234\274\225Q\2567;H \33603\333t\235"\337\373\200\026\262h\325\021$\017\313\374Y\260=\351\343,\033\340\263\342*\332(@e\306\254\346Z\261\202\272){\030"\373w\323\270gg\327?K[a\274(R\3538\006I\330\035\2615\022X\216,\256\3359 \276O\021\0321*\266 \225\002\325>\325\267\3448\364\313\3649\255Y\223,\022\320\265$\317F\020\035Y\303%\024\037m\005u\236\3267\372\337b\236\354\357\304sf\367l\346\325,\001\ r)h\177\3053\302\353\200\267B}j\250\215\364i\022\332k\037\231|\371\211\213\017{\352\200x<\250\344i~\253kx\376(\3347\310\037O\373\223\202\264v\244\324\ 257F\033\2260\270\267\036\226\241C\205\210" H=[122.161.166.247]:26584 I=[MY_IP]:25 NULL character(s) present (shown as '?')
    2013-09-27 06:48:16 SMTP syntax error in "\300ny\242'\233\004\036\271\204\365\273\345\214\2248D\\224\317\316E\002\003b\254wA\371\033\350\252Y\b\327f\360\317Tub\247N\266\336\v\301XA\323C\241\3 72a6\004L\033-\336\240~\234\333?S\034IcM\210%.\b\r\037Cy}"\360\277wo\227\035p\177\031\367\351N\260c\331\032\b\254\332\340\211\f\320^\033\366\3005\235V\266\370 \253\261\263\240\027\241I\b\351\235\307\231\322\216\024\021-\207U\235\223y\242\004\354\3612\363\365U\237dJ\341G\311\206\326LD`\315\231\315G\301;&)9}C\0070\244Pe\241Zk]\020@-.\rzY\022\001\300:\331\177\016\317Ao\346;\226j_\315\177[o?WU\355\[email protected]\2038\022C\001\312\3733\310K\)R\3109 %5\216\033\257\261k\022v3\314\007\364\304\265\370\3071" H=[122.161.166.247]:26584 I=[MY_IP]:25 unrecognized command
    2013-09-27 06:48:16 SMTP syntax error in "\364\024i_lU5\313\336\323\306\264\317\3438\214\311\252\272\354\276(L\326\257\247\375\255)\312m\201#\331\337X\035E\345\253\312{j\306\243Z\242< \340\032k]YH\2046QB\236\017I*\037rh\022\270I\025\350I'\017\310\337\001\343\242\363\335=s\001\275\005c!\223\315RAi\255\030IK\276\370\337%\f\336\371\376\324\315\0 31\325\361\230\244\265\002y;\220\326SOl\333H\362@\370\023}! \364\023\374&\277\236\334\261\251;\264\vzI\223\034Z\340m-:wH\246\245\243\325={4\263\227KB\222\3450\kp\033\371B\215\346\203#\236\306\032\376f\266:\324\264\233T\255\321f\337\215\326[\202b0,\220A5!3\026 \374F\362\032\334\335\314\254\254\353\253_\234\v\202\366q\234_\304NK:\3651\312\024\205\034g\354\336\311\373D\016\320\246\244}\3431}>\247\310S\261z\324 \260\304Wm\r4D" H=[122.161.166.247]:26584 I=[MY_IP]:25 unrecognized command
    2013-09-27 06:48:16 no host name found for IP address 117.203.178.103
    2013-09-27 06:48:16 SMTP syntax error in "\372\310\353\351\177C\300\362\234\215\311\372\2118i\004O\261\274\rI\302u\027\253\003\372!\245\024\263+k\215\0065\242\243B=\262\2072E\351\235nM\371\20 1^Uc8\204]M\342\243ej,\255m#?\347v3#\327~Pm\340\206\207\203\034\217\034\317(\227\301\027/\237\336a8\247s\316\214\257\030\366J\267(\332:\277E$D\307U\b4\317rR=\327\2026-\337G\3059\347\267d&\357\314\256/\367\366^R\377S\253\246\007#\215K\017\332\305\322\027\221\271\303\037\2277\232'\276\347\274/\016\316\3677\363\025\266?s\373\250G\350F\372O\030$?Y=\210\272\326UV\252\336t\240\241o\202\204\221w\237\316\232\177\301\030\244\207\365\022\246\006\35 3F\235\227\371*\237\0261A\311\247\305\214\325\257]o\302\267\266C)\304\306'\031\314\360\327;\324?\274+\334ClN\344-\352$\354W\232G\364g~7\374\221.Z\004q\025\225\f\276\S\0249BC\034\353\212L$\373n<,\030\271E4Bih<RMXD|\375zL\367|TT\251+t\\271\017dd\343\277\206l\005\24 4vt\020\356\177| \332o\204=\034y\214Zf\202\224\321\237 \235\256\306\307\244\315\376N\255b(X\2659=I\275\226" H=[117.203.178.103]:1788 I=[MY_IP]:25 NULL character(s) present (shown as '?')
    2013-09-27 06:48:16 SMTP syntax error in "\254\313\302\250L\324\2247$\334\036 \222\344p\333l\354RJ\327\364<\370\256\374\326\247\321\004?X?\r\246\001x\026k\217\037\037A\367\237(\2523\331\253\254\374\373\263\3348pA\334\034\355\307 D\341\357\302\036D\240[C\216^c\266\363\330\332h\274Wsz\240G{\006\371\361\366\234a#\215\273\253,\225\274)\250\016\331s\f\245\341\352\336\256\307]\022\272A\301\3717\202's\311\257\335\265\317\021 \230\331M\254\240R\370\315tZc\004Z\360\313*\270kOvBs0y\377z\037$\372\022\375h\200\034\323\305\303-\260\324^8A\3229\276&\b\333FE\321.\311S\331\201\305 \363\032[\275\fYbe\240{\351\032\332\273p7%#x\033\244\177\200,\241W\006xq\342\216\035\035Q\021\222\244^\235m\353\263\037\233U[*C \2031\370B\303\270\264\366\347\277V\020&\307" H=[117.203.178.103]:1788 I=[MY_IP]:25 NULL character(s) present (shown as '?')
    2013-09-27 06:48:16 SMTP syntax error in "*d\316\262\335\210\325w\367\306\334\017\253\353\343\304\304)\353lxN\362!\222\214\371\326\253\312?\213\305\b\b@\277D\217\302\r*\210N1\354\035\247(b&\0 24F?,\310\366\3044\211\0013\267\351UX\276\315\340\004I\367\210\324\314\357\226\370\323\332U7\333\305\336DgA\216\004o\355A)v\221\365M}\331j\237\207\250 P\020\217P\0045\226\370\267Y\235\240k~\244H\037\243\253\360\322\307\262\230\206\354\271@:\021\301\350\3555\310\220\241Z\31785zV\340\b\244\335\210\274\ 310\3440p\355\353\330#\022\363\200\3276\372\330\207\274\002\320>\200\bw\362\244\0178\224Z\223\310\347\177\232|s,%\037\265\342\250\362\260\006\260Dy+\2 67\265o\353C.&\257I\354\331\324P}\215\370W%A\035_\332Z[f\202\016\200m*\302\244t\322u\311{z)\356\202"\335\022\212\312\2207\221rD\\230\032\370\200\237\302\253\245\246j_\312\255\022\023\357\264\272\306\023\27 4bz8\303" H=[117.203.178.103]:1788 I=[MY_IP]:25 NULL character(s) present (shown as '?')
    2013-09-27 06:48:16 SMTP syntax error in ".]\312\262\341\201\321Z\225\246\330\002I\313\337\252\374\357\346R\260\024\356\372c9\365\242\027^\374J\313\202\003\362~\247" H=[117.203.178.103]:1788 I=[MY_IP]:25 unrecognized command
    2013-09-27 06:48:16 SMTP call from [117.203.178.103]:1788 I=[MY_IP]:25 dropped: too many syntax or protocol errors (last command was ".]ʲ▒▒Z▒▒▒I▒ߪ▒▒▒R▒▒▒c9▒^▒J˂▒~▒")
    2013-09-27 06:48:17 SMTP connection from [109.99.141.170]:3765 I=[MY_IP]:25 (TCP/IP connection count = 18)
    XSBackup - keeping your data secure. Offsite redundant backups - RAID6 storage / rSync / SSH / FTP access. Whitelabel services / Reseller accounts available.
    NEW! - If you need awesome admins to secure, optimize and maintain your servers, you're in the right place.

  2. #2
    We seeing ALOT of this aswell on our SMTP gateways.

    It does appear to be a attempt at DDoS against some of our systems (clients?). So far we've counted around 220k hosts. They appear to retry after around 10-20 minutes again.

    We're currently dropping connections by delaying the banner by 5 seconds. If there is any data in this time or if the first 5 characters from the client connections do not match a valid SMTP command (HELO or EHLO), the connection is dropped and the /24 is blackholed.
    █► AllWorldIT ~ ISP / Hosting Provider / Government / Carrier Solutions
    █► HostOnARope ~ 24/7 SupportShared HostingReseller HostingVPS Servers
    █► www.hostonarope.com | AllWorldIT Online Product Range | visit AllWorldIT.com
    █► Official Proxmox Partner ~ UK/USA/ZASupport & SLA's Available

Similar Threads

  1. Under DOS attack. What should I do?
    By lorph in forum Dedicated Server
    Replies: 57
    Last Post: 08-08-2011, 01:38 PM
  2. SMTP under Exim -- sort of open?
    By FRH Dave in forum Hosting Security and Technology
    Replies: 2
    Last Post: 01-31-2008, 09:22 AM
  3. i'm under DOS attack right now, need help
    By thomas830 in forum Hosting Security and Technology
    Replies: 20
    Last Post: 08-02-2005, 06:25 PM
  4. Sort out SMTP AUTH and get $40
    By alex-davies in forum Employment / Job Offers
    Replies: 1
    Last Post: 06-29-2005, 10:53 AM
  5. Some sort of tar-pit attack?
    By M0NkEY in forum Hosting Security and Technology
    Replies: 5
    Last Post: 06-25-2003, 08:37 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •