Firewall Wizards mailing list archives
Re: UDP Port 137 - Now TCP 143
From: "Daniel J. Gregor Jr." <dj () gregor com>
Date: Sat, 06 Feb 1999 23:43:09 -0500
"Burgess, John (EDS)" wrote:
Does anyone know why would someone/something be hitting TCP port 143?
TCP port 143 is IMAP4--a protocol for accessing E-mail spools (similar to POP3, but much more featureful). Older versions of the UW IMAP server had multiple remote root exploits, and exploit code exists for multiple architectures (check rootshell.com). It's very common for crackers to scan a large range of addresses looking for IMAP servers that they can hack.
This was at 2:30 AM from bay-030-b5.codetel.net.do (206.105.238.30 - Dominican Republic - a router?)
I did a quick traceroute and there was a large jump in round trip time between the above host and the hop before it, which is a strong indicator that it's a dial-up. Also the naming scheme is another clue--the hostname contains the last octet of the IP address. This is common for dynamically assigned IP addresses hanging off of access servers. 13 rabma203e001.codetel.net.do (206.105.238.2) 267.29 ms 296.916 ms 314.288 ms 14 bay-030-b5.codetel.net.do (206.105.238.30) 658.171 ms 407.217 ms 1763.867 - djg
Current thread:
- UDP Port 137 - Now TCP 143 Burgess, John (EDS) (Feb 06)
- Re: UDP Port 137 - Now TCP 143 Lorens Kockum (Feb 08)
- Re: UDP Port 137 - Now TCP 143 John Ladwig (Feb 09)
- Re: UDP Port 137 - Now TCP 143 Cristiano Lincoln Mattos (Feb 08)
- Re: UDP Port 137 - Now TCP 143 Randy Witlicki (Feb 08)
- Re: UDP Port 137 - Now TCP 143 Daniel J. Gregor Jr. (Feb 08)
- Re: UDP Port 137 - Now TCP 143 Michael T. Shinn (Feb 09)
- <Possible follow-ups>
- Re: UDP Port 137 - Now TCP 143 Bill_Royds (Feb 08)
- Re: UDP Port 137 - Now TCP 143 David Gillett (Feb 10)
- RE: UDP Port 137 - Now TCP 143 David Bovee (Feb 11)
- Re: UDP Port 137 - Now TCP 143 David Gillett (Feb 10)
- Re: UDP Port 137 - Now TCP 143 Lorens Kockum (Feb 08)