Firewall Wizards mailing list archives
RE: UDP Port 137 - Now TCP 143
From: dbovee () inetsec com (David Bovee)
Date: Wed, 10 Feb 1999 16:05:05 -0800
I guess I would add that tcp/143, associated with IMAP, has been a victim to various DoS and other security exploits. I guess I can dig out the CERT advisories if needed...bottom line, it is commonly used as a doorknob twist. I raise this issue because I've seen MANY dozens of instances of valid IMAP doorknob twists that did not involve other ports, such as the mountd below. -David
-----Original Message----- From: owner-firewall-wizards () nfr net [mailto:owner-firewall-wizards () nfr net]On Behalf Of David Gillett Sent: Tuesday, February 09, 1999 12:52 PM To: Bill_Royds () pch gc ca Cc: 'firewall-wizards () nfr net' Subject: Re: UDP Port 137 - Now TCP 143 On 6 Feb 99, at 22:32, Bill_Royds () pch gc ca wrote:John Burgess asked: Thanks to all who responded regarding UDP port 137. I learned some interesting facts. I got a new one this morning. Does anyone know why would someone/something be hitting TCP port 143? This was at2:30 AM frombay-030-b5.codetel.net.do (206.105.238.30 - Dominican Republic - a router?) Protocol=TCP Port 2734->143? JB Port 143/tcp is IMAP. THere are several known vulnerabilities with some IMAP servers that he may be trying to exploit.Just about every time I've seen someone try port 143, one of two other things was true: 1. The same machine also tried port 110 (POP3). The user is trying to retrieve email, possibly from the wrong server (either mistyped server name/IP, or misunderstood scope of service provided). 2. The same machine tried ports 23 (telnet) and 635 (mountd), and usually a couple of others as well. I've seen this ten times now, five in Novemeber and five in 1999. In the cases where I reached an admin of the source machine, it always turned out to be a Linux box; on one occasion, it was also launching "land" DoS attacks against Windows servers. The reference to port 635 may relate to CERT advisory 98-12, regarding an unsecured configuration of mountd that Red Hat, at least, installs as the default. David Gillett Network Security Engineer General Magic, Inc (operators of portico.net) davidg () genmagic com (408) 774-4384
Current thread:
- UDP Port 137 - Now TCP 143 Burgess, John (EDS) (Feb 06)
- Re: UDP Port 137 - Now TCP 143 Lorens Kockum (Feb 08)
- Re: UDP Port 137 - Now TCP 143 John Ladwig (Feb 09)
- Re: UDP Port 137 - Now TCP 143 Cristiano Lincoln Mattos (Feb 08)
- Re: UDP Port 137 - Now TCP 143 Randy Witlicki (Feb 08)
- Re: UDP Port 137 - Now TCP 143 Daniel J. Gregor Jr. (Feb 08)
- Re: UDP Port 137 - Now TCP 143 Michael T. Shinn (Feb 09)
- <Possible follow-ups>
- Re: UDP Port 137 - Now TCP 143 Bill_Royds (Feb 08)
- Re: UDP Port 137 - Now TCP 143 David Gillett (Feb 10)
- RE: UDP Port 137 - Now TCP 143 David Bovee (Feb 11)
- Re: UDP Port 137 - Now TCP 143 David Gillett (Feb 10)
- Re: UDP Port 137 - Now TCP 143 Lorens Kockum (Feb 08)