RE: XXXX frequent check output (fwd)

From: Dragos Ruiu (dr@v-wave.com)
Date: Wed Feb 10 1999 - 11:33:58 PST

Next message: Patrick Oonk: "Sun Security Bulletin #00183 (fwd)"

Previous message: Brown, Mark: "RE: XXXX frequent check output (fwd)"
Maybe in reply to: arkat_private: "XXXX frequent check output (fwd)"
Next in thread: Lamont Granquist: "RE: XXXX frequent check output (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I dismissed it yesterday, but now I'm thinking twice...

Just to add some paranoia to the fire, in the last
two days, loggers picked up three imap destined scans
of all the hosts of my particular neck of the
address space.  They were scans because they
eventually hit all the servers from the same
source in a small time period, and they sent
traffic only to the imap port, even on servers
that have no business talking imap or have
the imap port closed.  Methinks there's a new
exploit floating around.  Man the firewalls... :-)
Or at least have a double-check of your
logs of imap traffic.

--dr

-----Original Message-----
From: arkat_private [mailto:arkat_private]
Sent: Wednesday, February 10, 1999 2:29 AM
To: nmap-hackersat_private
Cc: bugtraqat_private
Subject: XXXX frequent check output (fwd)


-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

Does anybody know what does it all mean? Looks like a new scan for me..
How is it expected to work?
imap as destination, weird source port and flags..

No other "strange" packets arrived as OS type checkers do.


- -- Begin forwarded message ---
XXXX frequent check output for period since Feb 10 10:11 to Feb 10 11:10

Security Warnings summary
=-=-=-=-=-=-=-=-=-=-=-=-=
Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on
x.y.z.17:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>
Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on
x.y.z.25:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>
Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on
x.y.z.29:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>
Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on
x.y.z.27:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>

- -- End forwarded message ---
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNsFfXqH/mIJW9LeBAQHXEwQAn2eracntfi7wwfLDJB/3ac3MyfTBG4GO
EVxs23pkLs4I9vatKSPKv4rFJbWBVy8z15r8mav5/567qsHdRe1W5QrdFArALAKi
M2qDDCiWRCba99J+Jswt1Ir8K6q37Fvrr8x50uscEr+DJQT+2FBwb/Y72bd9VsRl
xpX7whwS6PQ=
=/rWT
-----END PGP SIGNATURE-----

Next message: Patrick Oonk: "Sun Security Bulletin #00183 (fwd)"
Previous message: Brown, Mark: "RE: XXXX frequent check output (fwd)"
Maybe in reply to: arkat_private: "XXXX frequent check output (fwd)"
Next in thread: Lamont Granquist: "RE: XXXX frequent check output (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:26 PDT