Security Incidents mailing list archives
Re: twinkie
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Thu, 17 Feb 2000 11:29:11 -0800
See: http://www.robertgraham.com/pubs/firewall-seen.html#port113 This is normal behavior from SMTP, POP, and IMAP servers so that they can log the UNIX user name on the TCP connection. If you block it with a firewall, your e-mail connections might timeout. In any case, the POP3 AUTH command is used by the client in order to negotiate an authentication scheme with the server. When a Microsoft client (like Outlook) tries to negotiate Windows-specific authentication (based upon LM), it uses some provocative word. I don't quite remember what that word is; might be "twinkie". Robert Graham -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf Of Paris, Bill Sent: Wednesday, February 16, 2000 7:15 AM To: INCIDENTS () securityfocus com Subject: Re: twinkie My ISP (dial-up account) always tries connecting to my box via AUTH (port 113) every time I send mail. There is nothing on my machine listening at port 113. Could these 192.168.1.x boxes be sending mail at that time? Bill Paris
-----Original Message----- From: Vasiliy Kuznetsov [mailto:waso () NSTU RU] Sent: Tuesday, February 15, 2000 10:00 AM To: INCIDENTS () SECURITYFOCUS COM Subject: twinkie Good time of day! There are strange things are happens in my local network for an indefined period. I saw such records in maillog: Feb 13 23:46:35 perfect ipop3d[23091]: AUTHENTICATE twinkie failure host=[192.168.1.200] Feb 14 08:37:13 perfect ipop3d[24749]: AUTHENTICATE twinkie failure host=[192.168.1.141] Feb 14 08:51:31 perfect ipop3d[24812]: AUTHENTICATE twinkie failure host=[192.168.1.136] As you can see they are from different hosts, running win95-win98. What it could be? 10x, Vasiliy
Current thread:
- Re: twinkie Paris, Bill (Feb 16)
- Re: twinkie Robert Graham (Feb 17)
- Re: twinkie Paul Cardon (Feb 18)
- Re: twinkie Robert Graham (Feb 17)