Hmm -- someone's idea of a stealth-scan of port 143, looking for IMAP daemons to come back to and try a buffer overflow on? I see about three to four IMAP exploit attempts on my network a week, most either immediately hitting port 143 without checking, or preceeded by a scan (TCP connect). I've been running NFR for about a week to see if anyone was stealth-scanning for IMAP, but haven't seen it in the wild yet. New script out there for the kiddies to play with? -----Original Message----- From: arkat_private [mailto:arkat_private] Sent: Wednesday, February 10, 1999 2:29 AM To: nmap-hackersat_private Cc: bugtraqat_private Subject: XXXX frequent check output (fwd) -----BEGIN PGP SIGNED MESSAGE----- nuqneH, Does anybody know what does it all mean? Looks like a new scan for me.. How is it expected to work? imap as destination, weird source port and flags.. No other "strange" packets arrived as OS type checkers do. - -- Begin forwarded message --- XXXX frequent check output for period since Feb 10 10:11 to Feb 10 11:10 Security Warnings summary =-=-=-=-=-=-=-=-=-=-=-=-= Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on x.y.z.17:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN> Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on x.y.z.25:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN> Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on x.y.z.29:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN> Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on x.y.z.27:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN> - -- End forwarded message --- _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv iQCVAwUBNsFfXqH/mIJW9LeBAQHXEwQAn2eracntfi7wwfLDJB/3ac3MyfTBG4GO EVxs23pkLs4I9vatKSPKv4rFJbWBVy8z15r8mav5/567qsHdRe1W5QrdFArALAKi M2qDDCiWRCba99J+Jswt1Ir8K6q37Fvrr8x50uscEr+DJQT+2FBwb/Y72bd9VsRl xpX7whwS6PQ= =/rWT -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:25 PDT