Autor: John Beaumont Data: Dla: exim-users Temat: Re: [exim] Exim log being flooded with strange attack
Anyone??
I'm still seeing a lot of this each day. Nearly all of it from Brazilian
broadband IPs.
More generally what does this TLS error mean?
Very grateful for any replies!
On 14 October 2012 00:45, John Beaumont <john@???> wrote:
> Exim version 4.74
> TLS plain and login on port 465
>
> My exim server has been running happily for about 6 months. Hack attempts
> are rare, I haven't needed to bother with fail2ban in all that time.
>
> However about 7 days ago I started to notice something appearing regularly
> in the mainlog.
>
> TLS error on connection from [xxx.xxx.xxx.xxx] (recv): A record packet
> with illegal version was received.
> 2012-10-14 00:26:51 TLS error on connection from [xxx.xxx.xxx.xxx] (send):
> The specified session has been invalidated for some reason.
>
> The frequency was roughly about 1 a minute usually from Chinese or
> Brazillian IP's. By today (14-oct) my server was being hammered with these
> messages from IPs all over the world. Ten to twenty a second. The server
> was becoming sluggish and I had to put in a fail2ban regex to put a stop to
> it all. 243 IPs were banned in 5 minutes, with about 10 to 20 new ones
> being banned every hour since.
>
> Does anyone know what this new attack is? Is there a new piece of malware
> out there looking for trouble on port 465? I never saw anything like this
> before until last week.
>