Hi Leon, The most likely explanation is that the service is 'wrapped' using something like TCPD/XINETD and has an access list that excludes remote connections (or at least yours). The wrapper validates the access list first and if denied, drops the connection, the actual service daemon is not launched in this case, hence no banner. Some sysadmins also "booby-trap" the deny phase so that it gathers additional info about the system connecting (running finger, dig, rusers, queso and mails the results to them). If you have access to a Linux box, have a look in /etc/inetd.conf and see if you have any tcpd entries similar to the following: ftp stream tcp nowait root /usr/sbin/tcpd wu.ftpd -a The rules are held in /etc/hosts.allow and /etc/hosts.deny xinetd, which is a nice replacement for inetd, incorporates the functionality of tcpd into the daemon and the access rules into /etc/xinetd.conf. There isn't anything you can "do" as such, service wrapping is designed as another layer in the security model to keep out unwanted users and provide an audit trail for service exection. Rgds, Simon -----Original Message----- From: leon [mailto:leonat_private] Sent: Tuesday, October 16, 2001 21:20 To: theogat_private; 'John Thornton' Cc: vuln-devat_private Subject: RE: pop3 exploit???? Ok. I have to apologize to everyone. I was being a bonehead (what else is new?). I was using super scanner and it would report 110 was open and guess it was pop3. But riddle me this batman(and woman) why is it when I try to telnet to the offending ip's that I connect but get no banner and after about 15 seconds it tells me connection lost.
This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 09:50:13 PDT