RE: pop3 exploit????

From: Kaneda Akira (k_anedaat_private)
Date: Wed Oct 17 2001 - 02:48:49 PDT

  • Next message: Jay D. Dyson: "Re: Time-to-patch vs Disclosure method"

    Try initiating a pop3 session instead, that server may have the banner
    turned off for security reasons *grin*
    
    ---
    Kaneda Akira
    ICQ#49107701
    Email: k_anedaat_private
    --
    That's why we spend so much time trying to understand our own
    motivations and those of others.  That's what makes life so
    interesting.
        -- Kaji, Evangelion Ep 18
    
    On Tue, 16 Oct 2001, leon wrote:
    
    > Date: Tue, 16 Oct 2001 15:20:18 -0400
    > From: leon <leonat_private>
    > To: theogat_private, 'John Thornton' <jthorntonat_private>
    > Cc: vuln-devat_private
    > Subject: RE: pop3 exploit????
    > 
    > Ok.  I have to apologize to everyone.  I was being a bonehead (what else
    > is new?).  I was using super scanner and it would report 110 was open
    > and guess it was pop3.  But riddle me this batman(and woman) why is it
    > when I try to telnet to the offending ip's that I connect but get no
    > banner and after about 15 seconds it tells me connection lost.
    > 
    > What does the group suggest I do now????
    > 
    > -----Original Message-----
    > From: theogat_private [mailto:theogat_private] 
    > Sent: Tuesday, October 16, 2001 7:12 PM
    > To: John Thornton
    > Cc: leon; vuln-devat_private
    > Subject: Re: pop3 exploit????
    > 
    > 
    > I agree with most of what's written below here are some comments:
    > I would run some kind of IDS software on the scanned machines just to
    > know
    > if these are just scans or is someone actually trying to hack  snort
    > from
    > www.snort.org along with the arachNIDS ruleset from www.whitehats.com
    > should do it...
    > 
    > If indeed the attacker is just playing around , secure your systems as
    > much as you can ( I  would try attacking my own systems see if there is
    > indeed somewhere they can strike) .
    > 
    > I don't know what the effect of sending an e-mail to abuseat_private will
    > be
    > but I assume it wont stop the attacks, what more , the attacker might be
    > using Trojans on innocent people's machines....
    > 
    > If the attacker is a blackhat , you probably don't want to try and scan
    > him
    > or let him know in anyway you are trying to track him down , the
    > response
    > will probably be (assuming he's already been in one of your systems...)
    > attempts to try and erase any record that might turn his
    > identity...which
    > might get quite ugly, and very painful for you. even so called "script
    > kiddies" with downloaded software from a "tripod hosted site" can do
    > real
    > damage , see http://grc.com/dos/grcdos.htm so think before you act...
    > 
    > Good luck
    > TheOg
    > 
    >  On Mon, 15 Oct 2001, John Thornton wrote:
    > 
    > > > I constantly get scanned for the usual services (21, 23, 80,
    > > > 12345, 27374, etc, etc) and when I scan these systems back the only
    > >
    > > As we all do who takes the time to see who is hitting our boxes.
    > >
    > > > thing they have in common (as far as running services) is 110 pop3.
    > >
    > > One thing to look at is what pop3 daemon the server is running and
    > what
    > > version it is. I would check securityfocus.com and
    > > http://icat.nist.gov/icat.cfm ( The icat metabase). More often then
    > not the
    > > security hole used to exploit the other boxes ispublic. I would have
    > to
    > > argue that if it was a unknown pop3 daemon exploit they would most
    > likely be
    > > scanning your box for the same vulnerable service to exploit. So if
    > the
    > > address you have are blowing pass 110 and looking at ports like
    > 12345,
    > > 27374 and other low level trojan backdoor attacks I would lean more
    > towards
    > > a coincidence that they have port 110 open.
    > >
    > > Now lets say they are all running a pop3 daemon like qpop ( By the way
    > I
    > > could not connect to any of those ip address you posted on port 110 )
    > and
    > > you can't find any known security holes for that version of qpop then
    > in my
    > > mind it would be worth it to grab that socket programming book and
    > write a
    > > little server that listens on port 110 and displays the same banner as
    > the
    > > rest of the attacking servers. Then sniff to see just what in the hell
    > it is
    > > doing.
    > >
    > > With that said, one of the things that I do as a Network Administrator
    > is a
    > > nslookup on each address that scans my network. This will tell you a
    > lot
    > > about who is attacking you.
    > >
    > > AC9699EE.ipt.aol.com
    > > cha213245047041.chello.fr
    > > ua-213-112-62-68.cust.bredbandsbolaget.se
    > > 24-29-125-76.nyc.rr.com
    > > pD4B894B3.dip.t-dialin.net
    > > 500.POS2-0.SR3.SEA9.ALTER.NET
    > > p13-0.iplvin1-br1.bbnplanet.net
    > >
    > > All of the address that scanned you ( The ones you sent ) belong to a
    > isp of
    > > some sort. That in it self should tell you that these are low level
    > > attackers. Most likely these ip address belonged to the attackers home
    > > computer. In that case what you should do (Sadly not practice enough
    > by the
    > > Network Admin Community) is to report them to abuseat_private and attach
    > the
    > > logs of the scan (Make sure you include your time zone, source and
    > > destination ports used) and let them take care of it. Most likely you
    > and a
    > > few dozen Network Administrators will report the same address and have
    > Zero
    > > Cool's service taken away. I have to say, there is nothing like
    > drinking a
    > > cup a coffee in the morning when checking your email to read that you
    > played
    > > a role in terminating one less script kids isp. I digress.
    > >
    > > Now, if these address translated into something like bob.com,
    > ford.com,
    > > etc... then that means you might be on to a real live hacker. These
    > are
    > > _always_ fun to help track down. In that case I would call the network
    > admin
    > > on the phone, since we would assume the box is owned by a hacker and
    > most
    > > likely the network admin's mail is being read.
    > >
    > > > like this.  I have no clue if these ips are static or dynamic.  This
    > is
    > >
    > > Again, a nslookup will tell you a lot, such as if the attacker has a
    > static
    > > or dynamic address. These are all dynamic ip address.
    > >
    > > To sum everything up. Could this be some sort of sophisticated attack
    > of
    > > some unreported exploit to a pop3 daemon? Hardly. It looks to me like
    > script
    > > kids and there 'l33t' tools from some 'Hacking' site hosted by tripod.
    > The
    > > best thing you can do as a Network Administrator is to report these to
    > abuse
    > > of the isp. However, if the anti-terrorism bill is passed (and it
    > looks that
    > > way) I would urge you not to. I know I wont. Getting script kids
    > service
    > > turn off is one thing, having them sent to jail is another...
    > >
    > > John Thornton  -  jthorntonat_private
    > > Editor in Chief
    > > Hackers Digest -  www.hackersdigest.com
    > >
    > >
    > >      H  A  C  K  E  R  '  S    D  I  G  E  S  T
    > > --------------------------------------------------
    > > Issue 2 comes out November 1st. Will you get it?
    > > --------------------------------------------------
    > >                 www.hackersdigest.com
    > >
    > >
    > >
    > >
    > >
    > >
    > 
    > -- 
    > 
    > 
    



    This archive was generated by hypermail 2b30 : Wed Oct 17 2001 - 19:04:17 PDT