22 Apr 2008, 1:36 p.m.

Why is mail.police.gov.bd Attempting to Hack Me?


I keep a distracted eye on failed logins to the mighty Pointbeing.net datacentre, courtesy of logwatch [1]. Here's the list of attempts from yesterday:

Authentication Failures:
root (mail.police.gov.bd): 452 Time(s)
unknown (mail.police.gov.bd): 403 Time(s)
root ( 17 Time(s)
adm (mail.police.gov.bd): 6 Time(s)
lp (mail.police.gov.bd): 4 Time(s)
mysql (mail.police.gov.bd): 4 Time(s)
root (securityscan.xtraordinary.net.uk): 4 Time(s)
unknown (securityscan.xtraordinary.net.uk): 4 Time(s)
apache (mail.police.gov.bd): 3 Time(s)
ftp (mail.police.gov.bd): 3 Time(s)
bin (mail.police.gov.bd): 2 Time(s)
bin (securityscan.xtraordinary.net.uk): 2 Time(s)
daemon (mail.police.gov.bd): 2 Time(s)
games (mail.police.gov.bd): 2 Time(s)
gopher (mail.police.gov.bd): 2 Time(s)
ftpsecure (mail.police.gov.bd): 1 Time(s)

Now, securityscan.xtraordinary.net.uk is a monitoring service provided by my hosting company, Xtraordinary Hosting, who I strongly recommend. I don't know who or what is, but a quick visit to DNSstuff suggests that it's probably a run of the mill hacking attempt orignating from China.

Of particular interest to me are the many hundreds of attempts originating from mail.police.gov.bd. That appears to be the Bangladeshi police's own webmail server, running an alpha of SquirrelMail. The pattern of the login attempts corresponds strongly with that of a compromised server.

Has anyone else seen this in their logs? Is there any point in emailing the Bangladeshi police to let them know?

[1] Seriously guys, who runs their website on port 81?

Posted by Simon at 01:53:00 PM