Security Incidents mailing list archives
DoS/exploit affecting ipop3d???
From: Mikael Fors <mf () MORADATORER SE>
Date: Thu, 22 Feb 2001 09:05:15 +0100
Last monday, one of my customers Linux boxes running on their site started to behave very strange. I din't trust this behaviour so I put the box offline, and installed the spare, and properly patched machine instead to be able to have a forensic fresh copy of the machine, I also dd'ed partition images to a couple of 2GB Jaz disks and verified mountability on other boxes of the images.
From the maillog (servers ip and domain removed):
<until now everything worked like a charm> Feb 12 04:45:38 ns ipop3d[19033]: Login user=eje93n130 host=pc62.nnnnnnnnnn.nnn [192.168.130.62] nmsgs=0/0 Feb 12 04:45:38 ns ipop3d[19033]: Logout user=eje93n130 host=pc62.nnnnnnnnnn.nnn [192.168.130.62] nmsgs=0 ndele=0 Feb 12 04:49:07 ns ipop3d[19034]: pop3 service init from nnn.nn.nnn.nnn Feb 12 04:49:07 ns ipop3d[19034]: Command stream end of file while reading line user=??? host=UNKNOWN Feb 12 04:50:41 ns ipop3d[19035]: pop3 service init from nnn.nn.nnn.nnn Feb 12 04:52:01 ns ipop3d[19035]: Command stream end of file while reading line user=??? host=[192.168.130.45] Feb 12 04:53:28 ns ipop3d[19038]: pop3 service init from nnn.nn.nnn.nnn Feb 12 04:53:28 ns ipop3d[19038]: Broken pipe while reading line user=??? host=UNKNOWN Feb 12 04:53:56 ns ipop3d[19039]: pop3 service init from nnn.nn.nnn.nnn Feb 12 04:55:16 ns ipop3d[19039]: Command stream end of file while reading line user=??? host=[192.168.130.154] Feb 12 04:58:13 ns ipop3d[19040]: pop3 service init from nnn.nn.nnn.nnn Feb 12 04:58:13 ns ipop3d[19040]: Command stream end of file while reading line user=??? host=UNKNOWN Feb 12 05:00:12 ns ipop3d[19041]: pop3 service init from nnn.nn.nnn.nnn Feb 12 05:00:12 ns ipop3d[19041]: Command stream end of file while reading line user=??? host=UNKNOWN Feb 12 05:04:14 ns ipop3d[19046]: pop3 service init from nnn.nn.nnn.nnn Feb 12 05:04:14 ns ipop3d[19046]: Command stream end of file while reading line user=??? host=UNKNOWN Feb 12 05:06:41 ns ipop3d[19047]: pop3 service init from nnn.nn.nnn.nnn <now the pop3d is completely unresponsive and no connects can be made> Got no pre-warning from snort, and the traffic logger can't find any evidence of strange behaviour in any log. The strange thing is that about 2 hours later, users on another private subnet (which is supposed to be able to fetch/send mail through this server) seem to be able to connect, even though the pop3 server is dead???? Feb 12 07:50:22 ns ipop3d[19162]: Command stream end of file while reading line user=??? host=[192.168.130.154] Feb 12 07:50:40 ns ipop3d[19164]: pop3 service init from 192.168.130.100 Feb 12 07:50:59 ns ipop3d[19161]: Login user=jan67p8 host=[192.168.8.163] nmsgs=0/0 Feb 12 07:50:59 ns ipop3d[19161]: Logout user=jan67p8 host=[192.168.8.163] nmsgs=0 ndele=0 Feb 12 07:52:00 ns ipop3d[19164]: Login user=per68p8 host=[192.168.8.165] nmsgs=0/0 Feb 12 07:52:00 ns ipop3d[19164]: Logout user=per68p8 host=[192.168.8.165] nmsgs=0 ndele=0 Feb 12 07:52:27 ns ipop3d[19168]: pop3 service init from 192.168.130.100 Feb 12 07:52:44 ns ipop3d[19169]: pop3 service init from 192.168.130.100 Feb 12 07:53:31 ns ipop3d[19167]: pop3 service init from nnn.nn.nnn.nnn The machine was running Sendmail 8.11.0 and AFAIK tight and utterly stripped RH6.2 patched to the ears when this happened. Tripwire doesn't say anything is changed, or missing checksum..... (databases stored on Jaz disks) Is there a known attack affecting ipop3d? Or is it just me being paranoid (sysadms should be, especially when hired in to do a job like I am)? Yours Mikael Fors Networked Systems Professional Mora Datorer AB
Current thread:
- DoS/exploit affecting ipop3d??? Mikael Fors (Feb 22)
- Re: DoS/exploit affecting ipop3d??? [Revised with new info] Mikael Fors (Feb 23)