Attack/DoS

From: Todd R. Stroup (tstroupat_private)
Date: Wed Jun 03 1998 - 14:52:52 PDT

Next message: David Wagner: "Re: CISCO PIX Vulnerability"

Previous message: Aleph One: "FreeBSD Security Advisory: FreeBSD-SA-98:04.mmap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Don't know if it is just me.  But over the last 10 hours we have been
seeing attacks on port 0 from port 0 (both tcp and udp) on several clients
networks.  I have also seen the same attack on port udp 53(DNS).

Anyone have any information on this?


Todd R. Stroup
Fiber Network Solutions, Inc.


> ---------- Forwarded message ----------
> Date: Mon, 1 Jun 1998 21:58:17 -0500
> From: "J.A. Terranson" <sysadminat_private>
> To: BUGTRAQat_private
> Subject: (Admittedly Premature) Exploit (?) Warning.
>
> While I realize that this issue may not yet be "ripe", as I the folks involved
> (myself and at least three other sites) have not yet firmly established just
> *exactly* what is going on here, but...
>
> There appears to be some kind of exploit making the rounds that utilizes
> TCP packets from port "0" (yes, that's *zero*) to the IMAP port, 143.  These
> packet traces are right now available only as historical log entries that are
> *loosely* associated with 2 successful "root" attacks against IMAP enabled
> servers, an unsuccessful attack against another (ours), and the possible
> compromise of another.
>
>         In short, I dont know a lot, other than in the course of reviewing my
> daily logs, I saw a couple of freaky packets (above) addressed to my
> nameservers (both of them).  They were rejected and logged at the routers,
> however, as a common courtesy, we notified the admin of the "sending"
> machine that they had a sick box.  As it developed, this person had
> recieved other emails regarding this from other admins, 2 of which had
> suffered the successful attacks mentioned above - all of us seeing the
> originating machine as the same box.  It is unknown if the source address was spoofed.
>
>         Basically, I think this is just a "common-cause" warning to look out
> for weird packets of this nature, and to take notice if you see any.
>
>         Rather than keep a running blow-by-blow going on the various lists,
> please address anything regarding this to me directly...
>
> Thanks
> J.A. Terranson
> sysadminat_private
>
>
>

Next message: David Wagner: "Re: CISCO PIX Vulnerability"
Previous message: Aleph One: "FreeBSD Security Advisory: FreeBSD-SA-98:04.mmap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:56:42 PDT