How to stop a just started brute force on 0.0.0.0. with very old Mailadress even not there

[ikkeben]

So for years the Domain and mail moved away from server.

Just started 6-12-2021 on that very old Mailadress brute force attacks.

How to stop such on 0.0.0.0?? Lot of different origin hacked ip's are used, so can't block on ip's alone!

From ip 0.0.0.0 where dns and mx for domain is on totally other server ( hosting elsewhere) for more years now,

( in the PAST years ago)
So they must have found the history or in the hacked email lists is origin server from those years ago. ( That one Account from that domain was hacked local at the windows desktop ( so not at DA server) outlook other company did IT service, sending spam mails from that outlook client windows desktop, where i did warn that custommer whitin hours , that IT service company had succes to take over that client, where they themselves failed to protect and to audit that a Local Workstation was hacked)

Example:

​ 2021-12-06 09:09:17 login authenticator failed for ([0.0.0.0]) [222.252.31.9]: 535 Incorrect authentication data (set_id=gggexample@gggg)

 

[Richard G]

Seems spoofed, it's not 0.0.0.0 but 222.252.31.9 which is causing the issue. Just block that ip in your firewall and you should be good.

So for years the Domain and mail moved away from server.

That is odd. Are there totally no records left on the server? If no, then it's fine, it's just bruteforce on old data, maybe that's why the 0.0.0.0 appears because the accounts do not exist anymore, I'm not sure.

But the bruteforces should be ablel to block by blocking that ip or maybe better, the whole ip range 222.252.0.0/19.
Maybe you block whole VN like that, not sure, but knowing you, you probably don't do business with VN anyway.

 

[ikkeben]

Seems spoofed, it's not 0.0.0.0 but 222.252.31.9 which is causing the issue. Just block that ip in your firewall and you should be good.

But the bruteforces should be ablel to block by blocking that ip or maybe better, the whole ip range 222.252.0.0/19.
Maybe you block whole VN like that, not sure, but knowing you, you probably don't do business with VN anyway.

Yup normal should be this:

​ login authenticator failed for ([212.192.246.9]) [212.192.246.9]: 535 Incorrect authentication data (set_id=hotel)

If spoofed the very very much ip's and ranges
Is no range or one ip so a hackers farm here with lot of ips and ranges

some

​ login authenticator failed for ([0.0.0.0]) [14.161.16.121 ​ login authenticator failed for ([0.0.0.0]) [117.102.108.187]: ​ login authenticator failed for ([0.0.0.0]) [222.252.31.9]: ​ login authenticator failed for ([0.0.0.0]) [61.195.228.94]:

But so strange while that domain and mail are whith other Hoster also resolving dns there with a mx to outlook.

So how could they know and do then on very old user , starting after years not in use , Where that emailaccount itself was hacked years ago on their windows desktop.

So somewhere there must be lists on the web yes i know with hacked emailaccounts but in those lists must be also hostname / ipadresses information from years ago???

( that emailadress windows client hacked was then blocked at our box years ago after a hour while limits .exceeded.. )

Where as a lot of IT working for government forget to do these days, and so more then 60000 hack/ spammails from hacked account before knowing it haha)

 

[Richard G]

So somewhere there must be lists on the web yes i know with hacked emailaccounts but in those lists must be also hostname / ipadresses information from years ago???

Might be. Little you can do about it anyway.

 

[ikkeben]

Might be. Little you can do about it anyway.

Yup but that 0.0.0.0 is so strange for me.

How to block?

Why did this attack use 0.0.0.0 as IP address and why did it work?

Working through this exercise in network forensics, the attacker used a buffer overflow exploit to send commands to the victim's command prompt. The commands open an FTP session and download some

security.stackexchange.com

 

[Richard G]

How to block?

You don't. At least not the 0.0.0.0. part.
That 0.0.0.0 is totally not important, it's the real ip that matters, the 0.0.0.0 can also be 127.0.0.1 for example in case of local webmail.
The real abuser is the ip behind it.

Just use CSF's and DA's brute force attacks, because they will look at the real ip's used and not the ip between the brackets (which is 0.0.0.0).

Yup but that 0.0.0.0 is so strange for me.

Well... you found the explanation about what it is yourself. You posted the link.

 

[ikkeben]

Well... you found the explanation about what it is yourself. You posted the link.

Or these technics used https://en.wikipedia.org/wiki/Martian_packet maybe there is life out there .

While the other link a (c)ve exploit .. bug still present is ???

 

[Richard G]

link a (c)ve exploit

I didn't see any cve exploit, only a question and answer and a link in the question which did not work.

 

[ikkeben]

I didn't see any cve exploit, only a question and answer and a link in the question which did not work.

S croll. and is about ftp
At our BOX it is EXIM.

f I were to guess, as I have not done the challenge, but based off of the first link provided the exploit went something like this:

1. Exploit CVE-2003-0533 - shellcode to bind port TCP 1957 as a shell. (maybe the attacker knew this port wasn't blocked by a firewall?)

Why did this attack use 0.0.0.0 as IP address and why did it work?

Working through this exercise in network forensics, the attacker used a buffer overflow exploit to send commands to the victim's command prompt. The commands open an FTP session and download some

security.stackexchange.com

 

[Richard G]

Exploit CVE-2003-0533 - shellcode to bind port TCP 1957 as a shell.

Port 1957 isn't normally used and is by default blocked by the CSF firewall.
So if it can't be used for FTP it can't be used for Exim either, since that port is closed.

 

[ikkeben]

Port 1957 isn't normally used and is by default blocked by the CSF firewall.
So if it can't be used for FTP it can't be used for Exim either, since that port is closed.

No not that also other ports is only example there , but as started at our box this was in exim logs ( so not ftp or other port )

I wonder if the 0.0.0.0 (spoof/ false ip adress) is comming from the boxes that are hacked to do this exim brute force attack, or some in our da box that don't see it right.
ONly see this 0.0.0.0 for those same hack attempts on that one emailadress in exim logs

 

[Richard G]

I've looked up that CVE and can only find it for Windows, can't find it for Linux that quickly.

The 0.0.0.0 is coming from the originating system as the ip between the brackets normally always displays the originating system. Hence why you see 127.0.0.1 there if the originating system is your webmail.

 

[ReN]

ok so , you're concentrating on the wrong thing guys, this is a exim/dovecot bruteforce attack plain and simple, i use a program called "fail2ban" it does a great job.

 

[ikkeben]

ok so , you're concentrating on the wrong thing guys, this is a exim/dovecot bruteforce attack plain and simple, i use a program called "fail2ban" it does a great job.

CSF and bruteforce DA here

Very much quick changing IP's from that hacker farm so takes time! depending on settings how strict the block after...
So much on only one account. (where in this case the domain and mail is on total other server , mail outlook office 365)

only history more years ago that one account was on this box/ip

The 0.0.0.0 i never had before therefore this topic.

While curiuos that 0.0.0.0. is generated because of something on the DA BOX itself or while the hacked boxes where the attacks ( brute force on mailaccounts) is orginating from and so that 0.0.0.0

 

[Richard G]

CSF and bruteforce DA here

CSF/LFD is way better than fail2ban for the servers anyway imho.

Very much quick changing IP's from that hacker farm

Maybe it helps to set the distributed attack setting in CSF a bit stricter.