Firewall Wizards mailing list archives
Re: finger/IMAP scans
From: "Ken Fox" <kenfox () starlinx com>
Date: Wed, 24 Mar 1999 17:45:41 GMT
I keep seeing these from some .edu in korea & brazil ... when I try to get through to the network people down there, invariably the don't return calls -- our best guess is that some kiddies have downloaded the latest stuff from hacker.site and are trying it out. I also note that in CIAC there was a message from NAI about a bug in linux Kernel 2.0.35 and prior that was exploitable. could the two be related? I noticed an awful lot of this stuff in November & december, but it's tapered off. I don't know what the significance is of the ports. any clues out there? On Tue, 23 Mar 1999 14:52:32 -0800 davidg () genmagic com wrote:
On 22 Mar 99, at 9:59, Neil Ratzlaff wrote:I keep seeing people doing combination finger/IMAP scans on our primary and secondary nameservers. The number of sources is increasing. (And the firewall keeps blocking them.) The ratio is usually about two fingers followed by an IMAP, they wil try several dozen times, and then they quit. Does anyone recognize this as a meaningful pattern? If so, can someone tell me what they think they are doing? Assuming there is thought involved, of course.A common pattern we see includes two tries each at IMAP, finger, POP, telnet, mountd, and sometimes a couple of others. Every time we've tracked it back, we've found someone's Linux box that has been cracked. David G
Ken Fox Consulting 1118 Meetinghouse Rd Ambler PA 19002 PH (610)-358-0887 Fax (610) 459-4091 This message sent using EMUmail. http://EmuMail.com
Current thread:
- finger/IMAP scans Neil Ratzlaff (Mar 23)
- Re: finger/IMAP scans David Gillett (Mar 23)
- Re: finger/IMAP scans Darren Reed (Mar 24)
- Re: finger/IMAP scans David Gillett (Mar 24)
- Re: finger/IMAP scans Darren Reed (Mar 24)
- Message not available
- Connection attempts to 13223 dreamwvr (Mar 24)
- Re: finger/IMAP scans David Gillett (Mar 23)
- <Possible follow-ups>
- Re: finger/IMAP scans Ken Fox (Mar 24)