It's possible that those servers are running old versions of daemons with holes in them... did you check to see what version of pop3 they were running... or any other daemon for that matter? --- Kaneda Akira ICQ#49107701 Email: k_anedaat_private -- That's why we spend so much time trying to understand our own motivations and those of others. That's what makes life so interesting. -- Kaji, Evangelion Ep 18 On Sun, 14 Oct 2001, leon wrote: > Date: Sun, 14 Oct 2001 01:20:00 -0400 > From: leon <leonat_private> > To: vuln-devat_private > Subject: pop3 exploit???? > > Hi everyone, > > I posted this to the incidents list already and no one seemed to know > anything about it so I am posting it here because maybe someone here has > a better "ear to the ground" so to speak. Is there a new pop3 exploit > out? I constantly get scanned for the usual services (21, 23, 80, > 12345, 27374, etc, etc) and when I scan these systems back the only > thing they have in common (as far as running services) is 110 pop3. Now > some of these ips are running a multitude of services and were probably > compromised by other means but some are solely running 110. Does anyone > know anything about this? I don't have any banners grabbed but I do > have a slew of ips. Also, I don't really care because I am not running > any of the services that they are looking for so it is more of annoyance > then anything else but I am still curious if anyone has seen anything > like this. I have no clue if these ips are static or dynamic. This is > being written at 1:15 am EST on 10/14/2001. > > If anyone wants to comment on list or off please feel free to do so. > > Thanks, > > Leon > > 172.150.153.238 > 213.245.47.41 > 216.220.104.180 > 213.112.62.68 > 24.29.125.76 > 212.184.148.179 > 157.130.52.209 > 4.24.9.58 > > PS: if you would like more ips please let me know there come in > constantly I just figured that was enough. >
This archive was generated by hypermail 2b30 : Sun Oct 14 2001 - 21:40:23 PDT