Firewall Wizards mailing list archives
Re: finger/IMAP scans
From: Darren Reed <darrenr () reed wattle id au>
Date: Wed, 24 Mar 1999 22:57:05 +1100 (EST)
In some email I received from David Gillett, sie wrote:
On 22 Mar 99, at 9:59, Neil Ratzlaff wrote:I keep seeing people doing combination finger/IMAP scans on our primary and secondary nameservers. The number of sources is increasing. (And the firewall keeps blocking them.) The ratio is usually about two fingers followed by an IMAP, they wil try several dozen times, and then they quit. Does anyone recognize this as a meaningful pattern? If so, can someone tell me what they think they are doing? Assuming there is thought involved, of course.A common pattern we see includes two tries each at IMAP, finger, POP, telnet, mountd, and sometimes a couple of others. Every time we've tracked it back, we've found someone's Linux box that has been cracked.
Have you (or others) seen many packets coming from the ident port ?
Current thread:
- finger/IMAP scans Neil Ratzlaff (Mar 23)
- Re: finger/IMAP scans David Gillett (Mar 23)
- Re: finger/IMAP scans Darren Reed (Mar 24)
- Re: finger/IMAP scans David Gillett (Mar 24)
- Re: finger/IMAP scans Darren Reed (Mar 24)
- Message not available
- Connection attempts to 13223 dreamwvr (Mar 24)
- Re: finger/IMAP scans David Gillett (Mar 23)
- <Possible follow-ups>
- Re: finger/IMAP scans Ken Fox (Mar 24)