Re: Mail and web server attack

[pdunston () PFEIFFER EDU (Duane Dunston)]

I recently detected several sloppy intrusion attempts on my 
web and mail server. The attempts originated from ip 
- 209.161.238.144, 207.226.241.155, and 208.184.216.202. 
Logins were attempted via telnet, pop3 and imap (command 
stream owerflow for the last two). Additionally, the PHF.CGI 
exploit was attempted followed by the scripts TEST.CGI and 
HANDLER.CGI. 

Tomas,

Since all of those services have well-known exploits, it 
seems that someone or group of people were trying some basic 
attacks to gain access to your system.  The may have done it 
manually or run a scanner like SATAN or NESSUS to see what 
kind of vulnerabilities your system has.  The same for the *
.cgi scripts.  They all have known security problems.  In 
particular the test.cgi script that comes by default with 
apache can give an attacker information about your system 
environment.  You read quite often how over 90% of all 
compromises are a result of well-known security holes.  
Looks like you've taken care of them though.

With metta,

Duane