Autor: John Beaumont Fecha: A: exim-users Asunto: [exim] Exim log being flooded with strange attack
Exim version 4.74
TLS plain and login on port 465
My exim server has been running happily for about 6 months. Hack attempts
are rare, I haven't needed to bother with fail2ban in all that time.
However about 7 days ago I started to notice something appearing regularly
in the mainlog.
TLS error on connection from [xxx.xxx.xxx.xxx] (recv): A record packet with
illegal version was received.
2012-10-14 00:26:51 TLS error on connection from [xxx.xxx.xxx.xxx] (send):
The specified session has been invalidated for some reason.
The frequency was roughly about 1 a minute usually from Chinese or
Brazillian IP's. By today (14-oct) my server was being hammered with these
messages from IPs all over the world. Ten to twenty a second. The server
was becoming sluggish and I had to put in a fail2ban regex to put a stop to
it all. 243 IPs were banned in 5 minutes, with about 10 to 20 new ones
being banned every hour since.
Does anyone know what this new attack is? Is there a new piece of malware
out there looking for trouble on port 465? I never saw anything like this
before until last week.