I've noticed quite a few IPs trying (unsuccessfully) to log into my box via POP3 the past several days. This isn't all that unusual - I typically look them up and block at my firewall the 99.99% of them that originate from Russia/Asia. (I don't think we're going to sell a car to someone there. 
) Lately, I've noticed a pattern. The below user names have been tried in the same order from different IPs many times. Does anybody know if there's a new worm/virus/other POSware out that does this? I can't believe that it's done by a real person because most of the time, there are hundreds, if not thousands, of login attempts (probably via scripts) before they give up.
) Lately, I've noticed a pattern. The below user names have been tried in the same order from different IPs many times. Does anybody know if there's a new worm/virus/other POSware out that does this? I can't believe that it's done by a real person because most of the time, there are hundreds, if not thousands, of login attempts (probably via scripts) before they give up.
Code:
Mar 7 03:33:11 mydomain pop3d: LOGIN FAILED, user=admin, ip=[ip.add.re.ss]
Mar 7 03:33:16 mydomain pop3d: LOGIN FAILED, user=test, ip=[ip.add.re.ss]
Mar 7 03:33:21 mydomain pop3d: LOGIN FAILED, user=danny, ip=[ip.add.re.ss]
Mar 7 03:33:27 mydomain pop3d: LOGIN FAILED, user=sharon, ip=[ip.add.re.ss]
Mar 7 03:33:32 mydomain pop3d: LOGIN FAILED, user=aron, ip=[ip.add.re.ss]
Mar 7 03:33:37 mydomain pop3d: LOGIN FAILED, user=alex, ip=[ip.add.re.ss]
Mar 7 03:33:42 mydomain pop3d: LOGIN FAILED, user=brett, ip=[ip.add.re.ss]
Mar 7 03:33:48 mydomain pop3d: LOGIN FAILED, user=mike, ip=[ip.add.re.ss]
Mar 7 03:33:53 mydomain pop3d: LOGIN FAILED, user=alan, ip=[ip.add.re.ss]
Mar 7 03:33:58 mydomain pop3d: LOGIN FAILED, user=info, ip=[ip.add.re.ss]
Mar 7 03:34:03 mydomain pop3d: LOGIN FAILED, user=shop, ip=[ip.add.re.ss]
Mar 7 03:34:09 mydomain pop3d: LOGIN FAILED, user=sales, ip=[ip.add.re.ss]
