Distributed login/password attack?

Distributed login/password attack?

Post by davebonn.. » Sat, 13 Jan 2001 11:06:30


My website is running apache 1.3 on redhat 6.2 and
has simple .htaccess/.htpasswd logins.  It is
sustaining regular automated login/password
attacks.  The majority of these originate from
a single IP for the entire attack.

A more sophisticated attack is now occuring.
Please note the attached snip out of the
error_log.  Rather than this occuring from a
single IP it appears to be coming from a few
dozen simultaneously.  I would like to understand
what this means.

1.  Is is possible that these are spoofed IPs
that are all originating from a single source
but appear to be coming from many?

1a. If so what tools can I use in linux to find
the actual source?  If my linux box is sending it
out I should be able to see where it really is
going.  Whoever is sending this out is getting
the info back or it would be stupid to do.

2. If it is not #1 then this is a distributed




[Thu Jan 11 00:15:54 2001] [error] [client] user  not found: /
[Thu Jan 11 00:44:19 2001] [error] [client] user waynesa not found:/
[Thu Jan 11 00:44:19 2001] [error] [client] user 12345678 not found:/
[Thu Jan 11 00:44:19 2001] [error] [client] user keithe not found: /
[Thu Jan 11 00:44:19 2001] [error] [client] user teogarp not found:/
[Thu Jan 11 00:44:19 2001] [error] [client] user poland not found:/
[Thu Jan 11 00:44:20 2001] [error] [client] user BJPratt not found: /
[Thu Jan 11 00:44:20 2001] [error] [client] user lonpaul not found: /
[Thu Jan 11 00:44:20 2001] [error] [client] user call not found: /
[Thu Jan 11 00:44:20 2001] [error] [client] user taevian not found: /
[Thu Jan 11 00:44:20 2001] [error] [client] user quixote not found: /
[Thu Jan 11 00:44:20 2001] [error] [client] user locomotive notfound: /
[Thu Jan 11 00:44:20 2001] [error] [client] user peepert not found: /

Sent via Deja.com


1. Preventing distributed password cracking attack


I am running a web server that is frequently under attack by password
crackers.  I am trying to gain a better understanding of how they are
attacking my site as well as how to prevent them from doing so.

I am running Apache on a Linux box and am using the normal .htpasswd
authorization to valid users.

Every now and then (usually 2-3 times a week from what I can tell) I
am hit by a massive password hacking attempt where they attempt at
least 30 logins per second.

I can understand using a password cracking program that can attempt
multiple logins and I have countermeasures that block an IP after a
certain number of bad attempts with a certain time period.  The
problem is that, just recently, I had an attack came from 605 (yes,
six hundred five) different IP addresses in a 1 minute window.

Are these machines actually hijacked machines or are they proxy
servers?  Is there any way of finding out who is responsible for these
attacks?  What are they using to carry out such an attack and is there
a way to secure my site against it?

Any help would be greatly appreciated.  These attacks are slowing down
my site quite significantly.

Thanks in advance.

2. linux and wd540 harddrives

3. distributed shadowed passwords

4. setting up an apple talk printer with Solaris 2.5

5. password file distributed w/o NIS

6. device drivers, socket programming in C++

7. distributed passwords

8. mplayer cannot play video

9. distributed password files

10. With Networks Under Attack, Password Etiquette is Critical

11. Password Attack on Unix

12. Help - password attack

13. Help, I need a list of Denial of Service attack by symptom to track an attack