Vulnerability Development mailing list archives
Re: pop3 exploit????
From: Edward Wong Hau Pepelu Tivrusky the 4th <sa7ori () tasam com>
Date: Wed, 17 Oct 2001 18:12:51 -0400 (EDT)
I havent been watching this thread closely enough. but exploits for qpop and several other pop3 servers are abound. published, I am not sure but. they do exits. that is all. talk amongst yourselves. thank you. goodnight. On Wed, 17 Oct 2001, Brian O'Berry wrote:
That sounds like typical behavior for an inetd service protected by tcp_wrappers, which is often how pop3 is configured. - Brian From: "leon" <leon () inyc com> Subject: RE: pop3 exploit???? Date: Tue, 16 Oct 2001 15:20:18 -0400Ok. I have to apologize to everyone. I was being a bonehead (what else is new?). I was using super scanner and it would report 110 was open and guess it was pop3. But riddle me this batman(and woman) why is it when I try to telnet to the offending ip's that I connect but get no banner and after about 15 seconds it tells me connection lost. What does the group suggest I do now???? -----Original Message----- From: theog () yoda dnsq org [mailto:theog () yoda dnsq org] Sent: Tuesday, October 16, 2001 7:12 PM To: John Thornton Cc: leon; vuln-dev () securityfocus com Subject: Re: pop3 exploit???? I agree with most of what's written below here are some comments: I would run some kind of IDS software on the scanned machines just to know if these are just scans or is someone actually trying to hack snort from www.snort.org along with the arachNIDS ruleset from www.whitehats.com should do it... If indeed the attacker is just playing around , secure your systems as much as you can ( I would try attacking my own systems see if there is indeed somewhere they can strike) . I don't know what the effect of sending an e-mail to abuse () ISP net will be but I assume it wont stop the attacks, what more , the attacker might be using Trojans on innocent people's machines.... If the attacker is a blackhat , you probably don't want to try and scan him or let him know in anyway you are trying to track him down , the response will probably be (assuming he's already been in one of your systems...) attempts to try and erase any record that might turn his identity...which might get quite ugly, and very painful for you. even so called "script kiddies" with downloaded software from a "tripod hosted site" can do real damage , see http://grc.com/dos/grcdos.htm so think before you act... Good luck TheOg On Mon, 15 Oct 2001, John Thornton wrote:I constantly get scanned for the usual services (21, 23, 80, 12345, 27374, etc, etc) and when I scan these systems back the onlyAs we all do who takes the time to see who is hitting our boxes.thing they have in common (as far as running services) is 110 pop3.One thing to look at is what pop3 daemon the server is running andwhatversion it is. I would check securityfocus.com and http://icat.nist.gov/icat.cfm ( The icat metabase). More often thennot thesecurity hole used to exploit the other boxes ispublic. I would havetoargue that if it was a unknown pop3 daemon exploit they would mostlikely bescanning your box for the same vulnerable service to exploit. So iftheaddress you have are blowing pass 110 and looking at ports like12345,27374 and other low level trojan backdoor attacks I would lean moretowardsa coincidence that they have port 110 open. Now lets say they are all running a pop3 daemon like qpop ( By the wayIcould not connect to any of those ip address you posted on port 110 )andyou can't find any known security holes for that version of qpop thenin mymind it would be worth it to grab that socket programming book andwrite alittle server that listens on port 110 and displays the same banner astherest of the attacking servers. Then sniff to see just what in the hellit isdoing. With that said, one of the things that I do as a Network Administratoris anslookup on each address that scans my network. This will tell you alotabout who is attacking you. AC9699EE.ipt.aol.com cha213245047041.chello.fr ua-213-112-62-68.cust.bredbandsbolaget.se 24-29-125-76.nyc.rr.com pD4B894B3.dip.t-dialin.net 500.POS2-0.SR3.SEA9.ALTER.NET p13-0.iplvin1-br1.bbnplanet.net All of the address that scanned you ( The ones you sent ) belong to aisp ofsome sort. That in it self should tell you that these are low level attackers. Most likely these ip address belonged to the attackers home computer. In that case what you should do (Sadly not practice enoughby theNetwork Admin Community) is to report them to abuse () isp net and attachthelogs of the scan (Make sure you include your time zone, source and destination ports used) and let them take care of it. Most likely youand afew dozen Network Administrators will report the same address and haveZeroCool's service taken away. I have to say, there is nothing likedrinking acup a coffee in the morning when checking your email to read that youplayeda role in terminating one less script kids isp. I digress. Now, if these address translated into something like bob.com,ford.com,etc... then that means you might be on to a real live hacker. Theseare_always_ fun to help track down. In that case I would call the networkadminon the phone, since we would assume the box is owned by a hacker andmostlikely the network admin's mail is being read.like this. I have no clue if these ips are static or dynamic. ThisisAgain, a nslookup will tell you a lot, such as if the attacker has astaticor dynamic address. These are all dynamic ip address. To sum everything up. Could this be some sort of sophisticated attackofsome unreported exploit to a pop3 daemon? Hardly. It looks to me likescriptkids and there 'l33t' tools from some 'Hacking' site hosted by tripod.Thebest thing you can do as a Network Administrator is to report these toabuseof the isp. However, if the anti-terrorism bill is passed (and itlooks thatway) I would urge you not to. I know I wont. Getting script kidsserviceturn off is one thing, having them sent to jail is another... John Thornton - jthornton () hackersdigest com Editor in Chief Hackers Digest - www.hackersdigest.com H A C K E R ' S D I G E S T -------------------------------------------------- Issue 2 comes out November 1st. Will you get it? -------------------------------------------------- www.hackersdigest.com--
Current thread:
- pop3 exploit???? leon (Oct 14)
- Re: pop3 exploit???? Kaneda Akira (Oct 14)
- Re: pop3 exploit???? John Thornton (Oct 15)
- Re: pop3 exploit???? theog (Oct 17)
- RE: pop3 exploit???? leon (Oct 17)
- Re: pop3 exploit???? Brian O'Berry (Oct 17)
- Re: pop3 exploit???? Edward Wong Hau Pepelu Tivrusky the 4th (Oct 17)
- RE: pop3 exploit???? Robert McGinnis (Oct 17)
- RE: pop3 exploit???? Kaneda Akira (Oct 17)
- RE: pop3 exploit???? leon (Oct 17)
- Re: pop3 exploit???? theog (Oct 17)
- RE: pop3 exploit???? Simon Thornton (Oct 18)
- <Possible follow-ups>
- Re: pop3 exploit???? dan . ellis (Oct 15)