I havent been watching this thread closely enough. but exploits for qpop and several other pop3 servers are abound. published, I am not sure but. they do exits. that is all. talk amongst yourselves. thank you. goodnight. On Wed, 17 Oct 2001, Brian O'Berry wrote: > That sounds like typical behavior for an inetd service protected by > tcp_wrappers, which is often how pop3 is configured. > > - Brian > > From: "leon" <leonat_private> > Subject: RE: pop3 exploit???? > Date: Tue, 16 Oct 2001 15:20:18 -0400 > > > Ok. I have to apologize to everyone. I was being a bonehead (what else > > is new?). I was using super scanner and it would report 110 was open > > and guess it was pop3. But riddle me this batman(and woman) why is it > > when I try to telnet to the offending ip's that I connect but get no > > banner and after about 15 seconds it tells me connection lost. > > > > What does the group suggest I do now???? > > > > -----Original Message----- > > From: theogat_private [mailto:theogat_private] > > Sent: Tuesday, October 16, 2001 7:12 PM > > To: John Thornton > > Cc: leon; vuln-devat_private > > Subject: Re: pop3 exploit???? > > > > > > I agree with most of what's written below here are some comments: > > I would run some kind of IDS software on the scanned machines just to > > know > > if these are just scans or is someone actually trying to hack snort > > from > > www.snort.org along with the arachNIDS ruleset from www.whitehats.com > > should do it... > > > > If indeed the attacker is just playing around , secure your systems as > > much as you can ( I would try attacking my own systems see if there is > > indeed somewhere they can strike) . > > > > I don't know what the effect of sending an e-mail to abuseat_private will > > be > > but I assume it wont stop the attacks, what more , the attacker might be > > using Trojans on innocent people's machines.... > > > > If the attacker is a blackhat , you probably don't want to try and scan > > him > > or let him know in anyway you are trying to track him down , the > > response > > will probably be (assuming he's already been in one of your systems...) > > attempts to try and erase any record that might turn his > > identity...which > > might get quite ugly, and very painful for you. even so called "script > > kiddies" with downloaded software from a "tripod hosted site" can do > > real > > damage , see http://grc.com/dos/grcdos.htm so think before you act... > > > > Good luck > > TheOg > > > > On Mon, 15 Oct 2001, John Thornton wrote: > > > > > > I constantly get scanned for the usual services (21, 23, 80, > > > > 12345, 27374, etc, etc) and when I scan these systems back the only > > > > > > As we all do who takes the time to see who is hitting our boxes. > > > > > > > thing they have in common (as far as running services) is 110 pop3. > > > > > > One thing to look at is what pop3 daemon the server is running and > > what > > > version it is. I would check securityfocus.com and > > > http://icat.nist.gov/icat.cfm ( The icat metabase). More often then > > not the > > > security hole used to exploit the other boxes ispublic. I would have > > to > > > argue that if it was a unknown pop3 daemon exploit they would most > > likely be > > > scanning your box for the same vulnerable service to exploit. So if > > the > > > address you have are blowing pass 110 and looking at ports like > > 12345, > > > 27374 and other low level trojan backdoor attacks I would lean more > > towards > > > a coincidence that they have port 110 open. > > > > > > Now lets say they are all running a pop3 daemon like qpop ( By the way > > I > > > could not connect to any of those ip address you posted on port 110 ) > > and > > > you can't find any known security holes for that version of qpop then > > in my > > > mind it would be worth it to grab that socket programming book and > > write a > > > little server that listens on port 110 and displays the same banner as > > the > > > rest of the attacking servers. Then sniff to see just what in the hell > > it is > > > doing. > > > > > > With that said, one of the things that I do as a Network Administrator > > is a > > > nslookup on each address that scans my network. This will tell you a > > lot > > > about who is attacking you. > > > > > > AC9699EE.ipt.aol.com > > > cha213245047041.chello.fr > > > ua-213-112-62-68.cust.bredbandsbolaget.se > > > 24-29-125-76.nyc.rr.com > > > pD4B894B3.dip.t-dialin.net > > > 500.POS2-0.SR3.SEA9.ALTER.NET > > > p13-0.iplvin1-br1.bbnplanet.net > > > > > > All of the address that scanned you ( The ones you sent ) belong to a > > isp of > > > some sort. That in it self should tell you that these are low level > > > attackers. Most likely these ip address belonged to the attackers home > > > computer. In that case what you should do (Sadly not practice enough > > by the > > > Network Admin Community) is to report them to abuseat_private and attach > > the > > > logs of the scan (Make sure you include your time zone, source and > > > destination ports used) and let them take care of it. Most likely you > > and a > > > few dozen Network Administrators will report the same address and have > > Zero > > > Cool's service taken away. I have to say, there is nothing like > > drinking a > > > cup a coffee in the morning when checking your email to read that you > > played > > > a role in terminating one less script kids isp. I digress. > > > > > > Now, if these address translated into something like bob.com, > > ford.com, > > > etc... then that means you might be on to a real live hacker. These > > are > > > _always_ fun to help track down. In that case I would call the network > > admin > > > on the phone, since we would assume the box is owned by a hacker and > > most > > > likely the network admin's mail is being read. > > > > > > > like this. I have no clue if these ips are static or dynamic. This > > is > > > > > > Again, a nslookup will tell you a lot, such as if the attacker has a > > static > > > or dynamic address. These are all dynamic ip address. > > > > > > To sum everything up. Could this be some sort of sophisticated attack > > of > > > some unreported exploit to a pop3 daemon? Hardly. It looks to me like > > script > > > kids and there 'l33t' tools from some 'Hacking' site hosted by tripod. > > The > > > best thing you can do as a Network Administrator is to report these to > > abuse > > > of the isp. However, if the anti-terrorism bill is passed (and it > > looks that > > > way) I would urge you not to. I know I wont. Getting script kids > > service > > > turn off is one thing, having them sent to jail is another... > > > > > > John Thornton - jthorntonat_private > > > Editor in Chief > > > Hackers Digest - www.hackersdigest.com > > > > > > > > > H A C K E R ' S D I G E S T > > > -------------------------------------------------- > > > Issue 2 comes out November 1st. Will you get it? > > > -------------------------------------------------- > > > www.hackersdigest.com > > > > > > > > > > > > > > > > > > > > > > -- > > >
This archive was generated by hypermail 2b30 : Wed Oct 17 2001 - 17:45:00 PDT