RE: pop3 exploit????

From: leon (leonat_private)
Date: Tue Oct 16 2001 - 12:20:18 PDT

  • Next message: Jordan: "Re: Civil Disobedience"

    Ok.  I have to apologize to everyone.  I was being a bonehead (what else
    is new?).  I was using super scanner and it would report 110 was open
    and guess it was pop3.  But riddle me this batman(and woman) why is it
    when I try to telnet to the offending ip's that I connect but get no
    banner and after about 15 seconds it tells me connection lost.
    
    What does the group suggest I do now????
    
    -----Original Message-----
    From: theogat_private [mailto:theogat_private] 
    Sent: Tuesday, October 16, 2001 7:12 PM
    To: John Thornton
    Cc: leon; vuln-devat_private
    Subject: Re: pop3 exploit????
    
    
    I agree with most of what's written below here are some comments:
    I would run some kind of IDS software on the scanned machines just to
    know
    if these are just scans or is someone actually trying to hack  snort
    from
    www.snort.org along with the arachNIDS ruleset from www.whitehats.com
    should do it...
    
    If indeed the attacker is just playing around , secure your systems as
    much as you can ( I  would try attacking my own systems see if there is
    indeed somewhere they can strike) .
    
    I don't know what the effect of sending an e-mail to abuseat_private will
    be
    but I assume it wont stop the attacks, what more , the attacker might be
    using Trojans on innocent people's machines....
    
    If the attacker is a blackhat , you probably don't want to try and scan
    him
    or let him know in anyway you are trying to track him down , the
    response
    will probably be (assuming he's already been in one of your systems...)
    attempts to try and erase any record that might turn his
    identity...which
    might get quite ugly, and very painful for you. even so called "script
    kiddies" with downloaded software from a "tripod hosted site" can do
    real
    damage , see http://grc.com/dos/grcdos.htm so think before you act...
    
    Good luck
    TheOg
    
     On Mon, 15 Oct 2001, John Thornton wrote:
    
    > > I constantly get scanned for the usual services (21, 23, 80,
    > > 12345, 27374, etc, etc) and when I scan these systems back the only
    >
    > As we all do who takes the time to see who is hitting our boxes.
    >
    > > thing they have in common (as far as running services) is 110 pop3.
    >
    > One thing to look at is what pop3 daemon the server is running and
    what
    > version it is. I would check securityfocus.com and
    > http://icat.nist.gov/icat.cfm ( The icat metabase). More often then
    not the
    > security hole used to exploit the other boxes ispublic. I would have
    to
    > argue that if it was a unknown pop3 daemon exploit they would most
    likely be
    > scanning your box for the same vulnerable service to exploit. So if
    the
    > address you have are blowing pass 110 and looking at ports like
    12345,
    > 27374 and other low level trojan backdoor attacks I would lean more
    towards
    > a coincidence that they have port 110 open.
    >
    > Now lets say they are all running a pop3 daemon like qpop ( By the way
    I
    > could not connect to any of those ip address you posted on port 110 )
    and
    > you can't find any known security holes for that version of qpop then
    in my
    > mind it would be worth it to grab that socket programming book and
    write a
    > little server that listens on port 110 and displays the same banner as
    the
    > rest of the attacking servers. Then sniff to see just what in the hell
    it is
    > doing.
    >
    > With that said, one of the things that I do as a Network Administrator
    is a
    > nslookup on each address that scans my network. This will tell you a
    lot
    > about who is attacking you.
    >
    > AC9699EE.ipt.aol.com
    > cha213245047041.chello.fr
    > ua-213-112-62-68.cust.bredbandsbolaget.se
    > 24-29-125-76.nyc.rr.com
    > pD4B894B3.dip.t-dialin.net
    > 500.POS2-0.SR3.SEA9.ALTER.NET
    > p13-0.iplvin1-br1.bbnplanet.net
    >
    > All of the address that scanned you ( The ones you sent ) belong to a
    isp of
    > some sort. That in it self should tell you that these are low level
    > attackers. Most likely these ip address belonged to the attackers home
    > computer. In that case what you should do (Sadly not practice enough
    by the
    > Network Admin Community) is to report them to abuseat_private and attach
    the
    > logs of the scan (Make sure you include your time zone, source and
    > destination ports used) and let them take care of it. Most likely you
    and a
    > few dozen Network Administrators will report the same address and have
    Zero
    > Cool's service taken away. I have to say, there is nothing like
    drinking a
    > cup a coffee in the morning when checking your email to read that you
    played
    > a role in terminating one less script kids isp. I digress.
    >
    > Now, if these address translated into something like bob.com,
    ford.com,
    > etc... then that means you might be on to a real live hacker. These
    are
    > _always_ fun to help track down. In that case I would call the network
    admin
    > on the phone, since we would assume the box is owned by a hacker and
    most
    > likely the network admin's mail is being read.
    >
    > > like this.  I have no clue if these ips are static or dynamic.  This
    is
    >
    > Again, a nslookup will tell you a lot, such as if the attacker has a
    static
    > or dynamic address. These are all dynamic ip address.
    >
    > To sum everything up. Could this be some sort of sophisticated attack
    of
    > some unreported exploit to a pop3 daemon? Hardly. It looks to me like
    script
    > kids and there 'l33t' tools from some 'Hacking' site hosted by tripod.
    The
    > best thing you can do as a Network Administrator is to report these to
    abuse
    > of the isp. However, if the anti-terrorism bill is passed (and it
    looks that
    > way) I would urge you not to. I know I wont. Getting script kids
    service
    > turn off is one thing, having them sent to jail is another...
    >
    > John Thornton  -  jthorntonat_private
    > Editor in Chief
    > Hackers Digest -  www.hackersdigest.com
    >
    >
    >      H  A  C  K  E  R  '  S    D  I  G  E  S  T
    > --------------------------------------------------
    > Issue 2 comes out November 1st. Will you get it?
    > --------------------------------------------------
    >                 www.hackersdigest.com
    >
    >
    >
    >
    >
    >
    
    -- 
    



    This archive was generated by hypermail 2b30 : Wed Oct 17 2001 - 11:41:54 PDT