# Virus that Automatically Tries POP3 logins???



## Ruler2112 (Mar 8, 2010)

I've noticed quite a few IPs trying (unsuccessfully) to log into my box via POP3 the past several days.  This isn't all that unusual - I typically look them up and block at my firewall the 99.99% of them that originate from Russia/Asia.  (I don't think we're going to sell a car to someone there.  )  Lately, I've noticed a pattern.  The below user names have been tried in the same order from different IPs many times.  Does anybody know if there's a new worm/virus/other POSware out that does this?  I can't believe that it's done by a real person because most of the time, there are hundreds, if not thousands, of login attempts (probably via scripts) before they give up.


```
Mar  7 03:33:11 mydomain pop3d: LOGIN FAILED, user=admin, ip=[ip.add.re.ss]
Mar  7 03:33:16 mydomain pop3d: LOGIN FAILED, user=test, ip=[ip.add.re.ss]
Mar  7 03:33:21 mydomain pop3d: LOGIN FAILED, user=danny, ip=[ip.add.re.ss]
Mar  7 03:33:27 mydomain pop3d: LOGIN FAILED, user=sharon, ip=[ip.add.re.ss]
Mar  7 03:33:32 mydomain pop3d: LOGIN FAILED, user=aron, ip=[ip.add.re.ss]
Mar  7 03:33:37 mydomain pop3d: LOGIN FAILED, user=alex, ip=[ip.add.re.ss]
Mar  7 03:33:42 mydomain pop3d: LOGIN FAILED, user=brett, ip=[ip.add.re.ss]
Mar  7 03:33:48 mydomain pop3d: LOGIN FAILED, user=mike, ip=[ip.add.re.ss]
Mar  7 03:33:53 mydomain pop3d: LOGIN FAILED, user=alan, ip=[ip.add.re.ss]
Mar  7 03:33:58 mydomain pop3d: LOGIN FAILED, user=info, ip=[ip.add.re.ss]
Mar  7 03:34:03 mydomain pop3d: LOGIN FAILED, user=shop, ip=[ip.add.re.ss]
Mar  7 03:34:09 mydomain pop3d: LOGIN FAILED, user=sales, ip=[ip.add.re.ss]
```


----------



## SirDice (Mar 9, 2010)

Nothing new. Just another bruteforce attempt. It'll happen to pretty much any service you expose to the internet.


----------



## saxon3049 (Mar 9, 2010)

Yea looks like a brute attempt I had somthing like this a few days ago, it looks like some one is trying a list of common English names to get a connection just block the IP's.


----------



## fronclynne (Mar 9, 2010)

Probably just your friendly neighbourhood botnet.

I opened up port 22 to the world a couple of years ago and just marvelled at how many thousands of usernames _they_ attempted.


----------



## Ruler2112 (Mar 10, 2010)

I am familiar with the brute-force password guessing attempts.  Getting the same names in the same order from various IPs from all over the world does seem automated to me though.


----------

