Security Incidents mailing list archives

POP3 (110) Port Scans, New Exploit?

From: cjc () SCITEC COM (Crist J. Clark)
Date: Mon, 29 May 2000 16:29:58 -0400


Over the weekend, we had our address space scanned for POP3 services
(port 110). The hosts involved were,

  206.176.81.2
  206.182.235.227
  207.233.243.234 (host.domain.com)

I have attempted to notify resposbible parties for each.

We do have a POP server, and it did record what looks like a dropped
login attempt,

May 28 04:14:50 newmail ipop3d[17145]: Command stream end of file while reading line user=??? host=[206.182.235.227]

But to the best of my estimates, there were no problems. Nothing in
the logs, and my Tripwire on the box did not go off.

Any ideas why a sudden interest in POP3? I have not heard of any new
"remote" exploits recently (although expoits where a valid user can
get a shell have been demonstrated for some POPs and IMAPs recently).

--
Crist J. Clark                              cjc () scitec com
SciTec, Inc                             (609)921-3892 x252

Current thread:

POP3 (110) Port Scans, New Exploit? Crist J. Clark (May 29)
- linuxconf scans from KR Infrastructure Dept. (Jun 01)
- Re: POP3 (110) Port Scans, New Exploit? Chip Mefford (Jun 01)