Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: twinkie

From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Thu, 17 Feb 2000 11:29:11 -0800

See:
http://www.robertgraham.com/pubs/firewall-seen.html#port113
This is normal behavior from SMTP, POP, and IMAP servers so that they can
log the UNIX user name on the TCP connection. If you block it with a
firewall, your e-mail connections might timeout.

In any case, the POP3 AUTH command is used by the client in order to
negotiate an authentication scheme with the server. When a Microsoft client
(like Outlook) tries to negotiate Windows-specific authentication (based
upon LM), it uses some provocative word. I don't quite remember what that
word is; might be "twinkie".

Robert Graham

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf
Of Paris, Bill
Sent: Wednesday, February 16, 2000 7:15 AM
To: INCIDENTS () securityfocus com
Subject: Re: twinkie

My ISP (dial-up account) always tries connecting to my box via AUTH (port
113) every time I send mail. There is nothing on my machine listening at
port 113. Could these 192.168.1.x boxes be sending mail at that time?

Bill Paris


-----Original Message-----
From: Vasiliy Kuznetsov [mailto:waso () NSTU RU]
Sent: Tuesday, February 15, 2000 10:00 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: twinkie


Good time of day!
There are strange things are happens in my local network for
an indefined period. I saw such records in maillog:
Feb 13 23:46:35 perfect ipop3d[23091]: AUTHENTICATE twinkie
failure host=[192.168.1.200]
Feb 14 08:37:13 perfect ipop3d[24749]: AUTHENTICATE twinkie
failure host=[192.168.1.141]
Feb 14 08:51:31 perfect ipop3d[24812]: AUTHENTICATE twinkie
failure host=[192.168.1.136]

As you can see they are from different hosts, running
win95-win98. What it could be?
            10x,
                    Vasiliy
Previous By Date Next
Previous By Thread Next

Current thread: