Re: finger/IMAP scans

["Ken Fox" <kenfox () starlinx com>]

I keep seeing these from some .edu in korea & brazil ... when I try to get through to the network people down there, 
invariably the don't return calls -- our best guess is that some kiddies have downloaded the latest stuff from 
hacker.site and are trying it out. 

I also note that in CIAC there was a message from NAI about a bug in linux Kernel 2.0.35 and prior that was 
exploitable. could the two be related?

I noticed an awful lot of this stuff in November & december, but it's tapered off. I don't know what the significance 
is of the ports. any clues out there?

On Tue, 23 Mar 1999 14:52:32 -0800 davidg () genmagic com wrote:
> On 22 Mar 99, at 9:59, Neil Ratzlaff wrote:
>
> > I keep seeing people doing combination finger/IMAP scans on our
> > primary and secondary nameservers.  The number of sources is
> > increasing.  (And the firewall keeps blocking them.) The ratio is
> > usually about two fingers followed by an IMAP, they wil try several
> > dozen times, and then they quit. Does anyone recognize this as a
> > meaningful pattern?  If so, can someone tell me what they think they
> > are doing?  Assuming there is thought involved, of course.
>
>   A common pattern we see includes two tries each at IMAP, finger, POP,
> telnet, mountd, and sometimes a couple of others.  Every time we've
> tracked it back, we've found someone's Linux box that has been cracked.
>
>
> David G


Ken Fox Consulting
1118 Meetinghouse Rd
Ambler PA 19002
PH (610)-358-0887 Fax (610) 459-4091


This message sent using EMUmail.  http://EmuMail.com