Nmap Announce mailing list archives

RE: XXXX frequent check output (fwd)

From: "Dragos Ruiu" <dr () v-wave com>
Date: Wed, 10 Feb 1999 11:33:58 -0800

I dismissed it yesterday, but now I'm thinking twice...

Just to add some paranoia to the fire, in the last
two days, loggers picked up three imap destined scans
of all the hosts of my particular neck of the
address space.  They were scans because they
eventually hit all the servers from the same
source in a small time period, and they sent
traffic only to the imap port, even on servers
that have no business talking imap or have
the imap port closed.  Methinks there's a new
exploit floating around.  Man the firewalls... :-)
Or at least have a double-check of your
logs of imap traffic.

--dr

-----Original Message-----
From: ark () eltex ru [mailto:ark () eltex ru]
Sent: Wednesday, February 10, 1999 2:29 AM
To: nmap-hackers () insecure org
Cc: bugtraq () netspace org
Subject: XXXX frequent check output (fwd)


-----BEGIN PGP SIGNED MESSAGE-----

nuqneH,

Does anybody know what does it all mean? Looks like a new scan for me..
How is it expected to work?
imap as destination, weird source port and flags..

No other "strange" packets arrived as OS type checkers do.


- -- Begin forwarded message ---
XXXX frequent check output for period since Feb 10 10:11 to Feb 10 11:10

Security Warnings summary
=-=-=-=-=-=-=-=-=-=-=-=-=
Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on
x.y.z.17:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>
Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on
x.y.z.25:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>
Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on
x.y.z.29:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>
Feb 10 10:35:54 XXXX /kernel: securitywarning: orphan TCP packet on
x.y.z.27:143 from 202.40.17.1:65535 flags 0x3<FIN,SYN>

- -- End forwarded message ---
                                     _     _  _  _  _      _  _
 {::} {::} {::}  CU in Hell          _| o |_ | | _|| |   / _||_|   |_ |_ |_
 (##) (##) (##)        /Arkan#iD    |_  o  _||_| _||_| /   _|  | o |_||_||_|
 [||] [||] [||]            Do i believe in Bible? Hell,man,i've seen one!

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBNsFfXqH/mIJW9LeBAQHXEwQAn2eracntfi7wwfLDJB/3ac3MyfTBG4GO
EVxs23pkLs4I9vatKSPKv4rFJbWBVy8z15r8mav5/567qsHdRe1W5QrdFArALAKi
M2qDDCiWRCba99J+Jswt1Ir8K6q37Fvrr8x50uscEr+DJQT+2FBwb/Y72bd9VsRl
xpX7whwS6PQ=
=/rWT
-----END PGP SIGNATURE-----

Current thread:

XXXX frequent check output (fwd) ark (Feb 10)
- Re: XXXX frequent check output (fwd) Sebastian (Feb 10)
- RE: XXXX frequent check output (fwd) Dragos Ruiu (Feb 10)
- <Possible follow-ups>
- RE: XXXX frequent check output (fwd) Brown, Mark (Feb 10)
  - RE: XXXX frequent check output (fwd) Lamont Granquist (Feb 10)
  - RE: XXXX frequent check output (fwd) Igor Plavcak (Feb 10)