• 16
  • Sep

Some black hat script kiddie was trying to brute force one of the bulk mail servers on port 110 (POP3) all night long.

So I did a port scan and found that TCP port 3389 (RDP) was open on the offending machine. I was too curious at this point not to indulge.

I hit the IP with RDP session and it shot me right into the server without authentication. Whoo!

SO I RAN A FORK BOMB:

DOS [Show Plain Code]:
  1. :s
  2. START %0
  3. GOTO :s

That was all she wrote….

P.S. - Moral of this story is, “Don’t try to hack someone when your machine is 10 times more vulnerable than the victim’s.”

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
  • 03
  • Sep

In response to Snort: Simple Rule To Block HTTP Brute Force, here is a similar rule, only for POP3 brute forcing:

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:”POP3 Brute Force Attack”; flags: S,12; threshold: type both, track by_src, count 20, seconds 10; classtype: misc-activity; rev:1; sid:1234567890; fwsam: src, 10 minutes;)

HINT: You may have to adjust the threshold by modifying the ‘count 20, seconds 10′ part to meet your needs. Some brute forcing programs can generate up to 80 logins per second, so it is possible to set the threshold much higher if you are getting false positives.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]