RE: XXXX frequent check output (fwd)

From: Brown, Mark (mbrownat_private)
Date: Wed Feb 10 1999 - 10:53:29 PST

Next message: Dragos Ruiu: "RE: XXXX frequent check output (fwd)"

Previous message: Sarah Baker: "Re: Digital Unix 4.0 exploitable buffer overflows"
Maybe in reply to: arkat_private: "XXXX frequent check output (fwd)"
Next in thread: Dragos Ruiu: "RE: XXXX frequent check output (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hmm -- someone's idea of a stealth-scan of port 143, looking for IMAP
daemons to come back to and try a buffer overflow on?  I see about three to
four IMAP exploit attempts on my network a week, most either immediately
hitting port 143 without checking, or preceeded by a scan (TCP connect).
I've been running NFR for about a week to see if anyone was stealth-scanning
for IMAP, but haven't seen it in the wild yet.  New script out there for the
kiddies to play with?

-----Original Message-----
From: arkat_private [mailto:arkat_private]
Sent: Wednesday, February 10, 1999 2:29 AM
To: nmap-hackersat_private
Cc: bugtraqat_private
Subject: XXXX frequent check output (fwd)


-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

Does anybody know what does it all mean? Looks like a new scan for me..
How is it expected to work?
imap as destination, weird source port and flags..

No other "strange" packets arrived as OS type checkers do.


- -- Begin forwarded message ---
XXXX frequent check output for period since Feb 10 10:11 to Feb 10 11:10

Security Warnings summary
=-=-=-=-=-=-=-=-=-=-=-=-=
Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on
x.y.z.17:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>
Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on
x.y.z.25:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>
Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on
x.y.z.29:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>
Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on
x.y.z.27:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>

- -- End forwarded message ---
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNsFfXqH/mIJW9LeBAQHXEwQAn2eracntfi7wwfLDJB/3ac3MyfTBG4GO
EVxs23pkLs4I9vatKSPKv4rFJbWBVy8z15r8mav5/567qsHdRe1W5QrdFArALAKi
M2qDDCiWRCba99J+Jswt1Ir8K6q37Fvrr8x50uscEr+DJQT+2FBwb/Y72bd9VsRl
xpX7whwS6PQ=
=/rWT
-----END PGP SIGNATURE-----

Next message: Dragos Ruiu: "RE: XXXX frequent check output (fwd)"
Previous message: Sarah Baker: "Re: Digital Unix 4.0 exploitable buffer overflows"
Maybe in reply to: arkat_private: "XXXX frequent check output (fwd)"
Next in thread: Dragos Ruiu: "RE: XXXX frequent check output (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:25 PDT