Re: UDP Port 137 - Now TCP 143

[davidg () genmagic com (David Gillett)]

On 6 Feb 99, at 22:32, Bill_Royds () pch gc ca wrote:

> John Burgess asked:
>
> Thanks to all who responded regarding UDP port 137.  I learned some
> interesting facts.  I got a new one this morning.  Does anyone know why
> would someone/something be hitting TCP port 143?  This was at 2:30 AM from
> bay-030-b5.codetel.net.do (206.105.238.30 - Dominican Republic - a
> router?) Protocol=TCP Port 2734->143?
>
> JB
>
>   Port 143/tcp is IMAP. THere are several known vulnerabilities with
> some IMAP servers that he may be trying to exploit. 
 
  Just about every time I've seen someone try port 143, one of two other 
things was true: 

1.  The same machine also tried port 110 (POP3).  The user is trying to 
retrieve email, possibly from the wrong server (either mistyped server 
name/IP, or misunderstood scope of service provided).

2.  The same machine tried ports 23 (telnet) and 635 (mountd), and 
usually a couple of others as well.  I've seen this ten times now, five 
in Novemeber and five in 1999.  In the cases where I reached an admin 
of the source machine, it always turned out to be a Linux box; on one 
occasion, it was also launching "land" DoS attacks against Windows 
servers.  The reference to port 635 may relate to CERT advisory 98-12, 
regarding an unsecured configuration of mountd that Red Hat, at least, 
installs as the default.


David Gillett
Network Security Engineer
General Magic, Inc (operators of portico.net)
davidg () genmagic com
(408) 774-4384