Re: UDP Port 137 - Now TCP 143

[John Ladwig <jladwig () nts umn edu>]

> On firewall-wizards jburgess () railtex com wrote:
> > [...] Does anyone know why
> > would someone/something be hitting TCP port 143?
>
> That's IMAP (v2 and I believe v1 as well).  I suppose that if it
> wasn't filtered out, someone might get somebody else's mail that
> way, though the appropriate password should be needed.
>
> I suppose it *could* be a laptop normally on your network on
> holiday in .do, but if that is not the case (maybe you don't
> even use IMAP?) then yes, someone is probably trying to sound
> out your weaknesses...  Do run-of-the-mill crackers try to read
> mail before having managed to crack the system?

Not in my experience.

They do, however, flock to remote-user-gains-root vulnerabilies with
widely circulated script-kiddie-capable t00lz/sploitz like red
squirrels to sugaring bags.

The standard probe 'round these parts is:
 - TELNET (Irix no-password accounts like lp and guest)
 - POP3 (stack-smashable qpopper variants)
 - HTTP (various shell-meta-character exploitable CGI scripts)
 - IMAP (remote buffer overrun)
 - DNS (remote BIND iquery sploit) 

and frequently 635/tcp (Linux overrunable rpc.mountd).

Check the AUSCERT/CERT archives for mscan or sscan, as well as any
vendors/apps listed above.

    -jml    *'tis nearly the season, even here.  Damn their oily hides*