Just saw something that I thought was long gone. The username “pop3user” is showing up in our telnet/ssh logs. I don’t know how long ago it was that I used POP3 to retrieve e-mail from one of my mail servers. IMAP and various webmail systems have long since replaced this classic email protocol. But at least this one attacker is counting on someone still having a “pop3user” configured.
The passwords attempted are the classics “pop3user” and “123456”. The sole IP address scanning for this username is 193.32.162.157. The IP address is part of AS47890, which is managed by Unmanaged (I am not making this up..)
route: Â Â Â Â Â 193.32.162.0/24
origin: Â Â Â Â AS47890
mnt-by: Â Â Â Â UNMANAGED
mnt-by: Â Â Â Â ro-btel2-1-mnt
created: Â Â Â Â 2022-11-21T17:07:38Z
last-modified: Â 2022-11-21T17:07:38Z
source: Â Â Â Â RIPE
The website for unmanaged.uk is blank, the network is probably unmanaged… not a fan of blocklists, but I would consider AS47890 a good candidate for a block.
pop3 still being used (maybe?), unmanaged networks… why are we wasting time trying to worry about 0-days?
—
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
