Firewall Wizards mailing list archives
Re: finger/IMAP scans
From: davidg () genmagic com (David Gillett)
Date: Tue, 23 Mar 1999 14:52:32 -0800
On 22 Mar 99, at 9:59, Neil Ratzlaff wrote:
I keep seeing people doing combination finger/IMAP scans on our primary and secondary nameservers. The number of sources is increasing. (And the firewall keeps blocking them.) The ratio is usually about two fingers followed by an IMAP, they wil try several dozen times, and then they quit. Does anyone recognize this as a meaningful pattern? If so, can someone tell me what they think they are doing? Assuming there is thought involved, of course.
A common pattern we see includes two tries each at IMAP, finger, POP, telnet, mountd, and sometimes a couple of others. Every time we've tracked it back, we've found someone's Linux box that has been cracked. David G
Current thread:
- finger/IMAP scans Neil Ratzlaff (Mar 23)
- Re: finger/IMAP scans David Gillett (Mar 23)
- Re: finger/IMAP scans Darren Reed (Mar 24)
- Re: finger/IMAP scans David Gillett (Mar 24)
- Re: finger/IMAP scans Darren Reed (Mar 24)
- Message not available
- Connection attempts to 13223 dreamwvr (Mar 24)
- Re: finger/IMAP scans David Gillett (Mar 23)
- <Possible follow-ups>
- Re: finger/IMAP scans Ken Fox (Mar 24)