[lug] imap hacking?

[D. Stimits]

Rob Nagler wrote:

> Someone was visiting all my servers trying to hack my imap ports.
> They didn't get in, but I'm wondering if there's a new attack out
> there.
>
> It's coming from a dial in in Germany.  Here's a sample of entries:
>
> Jul 14 08:58:43 my-host imapd[5653]: Login failed: no CRAM-MD5 entry 
> user=web auth=web host=pD9524D51.dip.t-dialin.net [217.82.77.81]
> Jul 14 08:58:43 my-host imapd[5654]: Login failed: no CRAM-MD5 entry 
> user=administrator auth=administrator host=pD9524D51.dip.t-dialin.net 
> [217.82.77.81]
> Jul 14 08:58:43 my-host imapd[5660]: Login failed: no CRAM-MD5 entry 
> user=oracle auth=oracle host=pD9524D51.dip.t-dialin.net [217.82.77.81]
> Jul 14 08:58:44 my-host imapd[5661]: Login failed: no CRAM-MD5 entry 
> user=sybase auth=sybase host=pD9524D51.dip.t-dialin.net [217.82.77.81]
> Jul 14 08:58:44 my-host imapd[5662]: Login failed: no CRAM-MD5 entry 
> user=lizdy auth=lizdy host=pD9524D51.dip.t-dialin.net [217.82.77.81]
>
> I'm running imapd-2001a-1.72.0 for RH 7.2, which was last updated on
> 4/25/02.
>
> Thanks,
> Rob

It looks like it is just someone trying to log in under a series of 
guessed names, and it fails because the users don't exist in your login 
scheme (seeing them try several users in a row makes it pretty obvious 
they are scanning for names: "web", "administrator", "oracle", "sybase", 
"lizdy"...likely they are sending a common default pass or no pass and 
hoping the software was not installed with a pass change). So I'd say it 
is an attempt to crack the app in the simplest way possible.

D. Stimits, stimits AT comcast DOT net