That sounds like typical behavior for an inetd service protected by tcp_wrappers, which is often how pop3 is configured. - Brian From: "leon" <leonat_private> Subject: RE: pop3 exploit???? Date: Tue, 16 Oct 2001 15:20:18 -0400 > Ok. I have to apologize to everyone. I was being a bonehead (what else > is new?). I was using super scanner and it would report 110 was open > and guess it was pop3. But riddle me this batman(and woman) why is it > when I try to telnet to the offending ip's that I connect but get no > banner and after about 15 seconds it tells me connection lost. > > What does the group suggest I do now???? > > -----Original Message----- > From: theogat_private [mailto:theogat_private] > Sent: Tuesday, October 16, 2001 7:12 PM > To: John Thornton > Cc: leon; vuln-devat_private > Subject: Re: pop3 exploit???? > > > I agree with most of what's written below here are some comments: > I would run some kind of IDS software on the scanned machines just to > know > if these are just scans or is someone actually trying to hack snort > from > www.snort.org along with the arachNIDS ruleset from www.whitehats.com > should do it... > > If indeed the attacker is just playing around , secure your systems as > much as you can ( I would try attacking my own systems see if there is > indeed somewhere they can strike) . > > I don't know what the effect of sending an e-mail to abuseat_private will > be > but I assume it wont stop the attacks, what more , the attacker might be > using Trojans on innocent people's machines.... > > If the attacker is a blackhat , you probably don't want to try and scan > him > or let him know in anyway you are trying to track him down , the > response > will probably be (assuming he's already been in one of your systems...) > attempts to try and erase any record that might turn his > identity...which > might get quite ugly, and very painful for you. even so called "script > kiddies" with downloaded software from a "tripod hosted site" can do > real > damage , see http://grc.com/dos/grcdos.htm so think before you act... > > Good luck > TheOg > > On Mon, 15 Oct 2001, John Thornton wrote: > > > > I constantly get scanned for the usual services (21, 23, 80, > > > 12345, 27374, etc, etc) and when I scan these systems back the only > > > > As we all do who takes the time to see who is hitting our boxes. > > > > > thing they have in common (as far as running services) is 110 pop3. > > > > One thing to look at is what pop3 daemon the server is running and > what > > version it is. I would check securityfocus.com and > > http://icat.nist.gov/icat.cfm ( The icat metabase). More often then > not the > > security hole used to exploit the other boxes ispublic. I would have > to > > argue that if it was a unknown pop3 daemon exploit they would most > likely be > > scanning your box for the same vulnerable service to exploit. So if > the > > address you have are blowing pass 110 and looking at ports like > 12345, > > 27374 and other low level trojan backdoor attacks I would lean more > towards > > a coincidence that they have port 110 open. > > > > Now lets say they are all running a pop3 daemon like qpop ( By the way > I > > could not connect to any of those ip address you posted on port 110 ) > and > > you can't find any known security holes for that version of qpop then > in my > > mind it would be worth it to grab that socket programming book and > write a > > little server that listens on port 110 and displays the same banner as > the > > rest of the attacking servers. Then sniff to see just what in the hell > it is > > doing. > > > > With that said, one of the things that I do as a Network Administrator > is a > > nslookup on each address that scans my network. This will tell you a > lot > > about who is attacking you. > > > > AC9699EE.ipt.aol.com > > cha213245047041.chello.fr > > ua-213-112-62-68.cust.bredbandsbolaget.se > > 24-29-125-76.nyc.rr.com > > pD4B894B3.dip.t-dialin.net > > 500.POS2-0.SR3.SEA9.ALTER.NET > > p13-0.iplvin1-br1.bbnplanet.net > > > > All of the address that scanned you ( The ones you sent ) belong to a > isp of > > some sort. That in it self should tell you that these are low level > > attackers. Most likely these ip address belonged to the attackers home > > computer. In that case what you should do (Sadly not practice enough > by the > > Network Admin Community) is to report them to abuseat_private and attach > the > > logs of the scan (Make sure you include your time zone, source and > > destination ports used) and let them take care of it. Most likely you > and a > > few dozen Network Administrators will report the same address and have > Zero > > Cool's service taken away. I have to say, there is nothing like > drinking a > > cup a coffee in the morning when checking your email to read that you > played > > a role in terminating one less script kids isp. I digress. > > > > Now, if these address translated into something like bob.com, > ford.com, > > etc... then that means you might be on to a real live hacker. These > are > > _always_ fun to help track down. In that case I would call the network > admin > > on the phone, since we would assume the box is owned by a hacker and > most > > likely the network admin's mail is being read. > > > > > like this. I have no clue if these ips are static or dynamic. This > is > > > > Again, a nslookup will tell you a lot, such as if the attacker has a > static > > or dynamic address. These are all dynamic ip address. > > > > To sum everything up. Could this be some sort of sophisticated attack > of > > some unreported exploit to a pop3 daemon? Hardly. It looks to me like > script > > kids and there 'l33t' tools from some 'Hacking' site hosted by tripod. > The > > best thing you can do as a Network Administrator is to report these to > abuse > > of the isp. However, if the anti-terrorism bill is passed (and it > looks that > > way) I would urge you not to. I know I wont. Getting script kids > service > > turn off is one thing, having them sent to jail is another... > > > > John Thornton - jthorntonat_private > > Editor in Chief > > Hackers Digest - www.hackersdigest.com > > > > > > H A C K E R ' S D I G E S T > > -------------------------------------------------- > > Issue 2 comes out November 1st. Will you get it? > > -------------------------------------------------- > > www.hackersdigest.com > > > > > > > > > > > > > > -- >
This archive was generated by hypermail 2b30 : Wed Oct 17 2001 - 14:48:17 PDT