RE: UDP Port 137 - Now TCP 143

From: David Bovee (dbovee@inetsec.com)
Date: Wed Feb 10 1999 - 16:05:05 PST

Next message: Cohen Liota: "Re: Session hijacking, source-routes"

Previous message: Dani Arbel: "Re: Re[2]: Smurfs and fraggles"
Maybe in reply to: Burgess, John (EDS): "UDP Port 137 - Now TCP 143"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I guess I would add that tcp/143, associated with IMAP, has been a victim to
various DoS and other security exploits. I guess I can dig out the CERT
advisories if needed...bottom line, it is commonly used as a doorknob twist.
I raise this issue because I've seen MANY dozens of instances of valid IMAP
doorknob twists that did not involve other ports, such as the mountd below.

-David

> -----Original Message-----
> From: owner-firewall-wizards@nfr.net
> [mailto:owner-firewall-wizards@nfr.net]On Behalf Of David Gillett
> Sent: Tuesday, February 09, 1999 12:52 PM
> To: Bill_Royds@pch.gc.ca
> Cc: 'firewall-wizards@nfr.net'
> Subject: Re: UDP Port 137 - Now TCP 143
>
>
> On 6 Feb 99, at 22:32, Bill_Royds@pch.gc.ca wrote:
>
> > John Burgess asked:
> >
> > Thanks to all who responded regarding UDP port 137.  I learned some
> > interesting facts.  I got a new one this morning.  Does anyone know why
> > would someone/something be hitting TCP port 143?  This was at
> 2:30 AM from
> > bay-030-b5.codetel.net.do (206.105.238.30 - Dominican Republic - a
> > router?) Protocol=TCP Port 2734->143?
> >
> > JB
> >
> >   Port 143/tcp is IMAP. THere are several known vulnerabilities with
> > some IMAP servers that he may be trying to exploit.
>
>   Just about every time I've seen someone try port 143, one of two other
> things was true:
>
> 1.  The same machine also tried port 110 (POP3).  The user is trying to
> retrieve email, possibly from the wrong server (either mistyped server
> name/IP, or misunderstood scope of service provided).
>
> 2.  The same machine tried ports 23 (telnet) and 635 (mountd), and
> usually a couple of others as well.  I've seen this ten times now, five
> in Novemeber and five in 1999.  In the cases where I reached an admin
> of the source machine, it always turned out to be a Linux box; on one
> occasion, it was also launching "land" DoS attacks against Windows
> servers.  The reference to port 635 may relate to CERT advisory 98-12,
> regarding an unsecured configuration of mountd that Red Hat, at least,
> installs as the default.
>
>
> David Gillett
> Network Security Engineer
> General Magic, Inc (operators of portico.net)
> davidg@genmagic.com
> (408) 774-4384
>

Next message: Cohen Liota: "Re: Session hijacking, source-routes"
Previous message: Dani Arbel: "Re: Re[2]: Smurfs and fraggles"
Maybe in reply to: Burgess, John (EDS): "UDP Port 137 - Now TCP 143"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:21:39 PDT