Security Incidents mailing list archives
Re: Break-in attempt from 203.197.38.247
From: Fernando Cardoso <fernando () BN PT>
Date: Thu, 24 Aug 2000 09:21:25 +0100
This morning we discovered a possible break-in attempt. Thealert camefrom continous retries on the pop3 and telnet ports. POP3 was accidentely was left open although no pop3 service nor mailservice isinstalled.From /var/log/secure:-------------------- Aug 22 01:09:34 jupiter ipop3d[3954]: connect from 203.197.38.247 Aug 22 01:09:34 jupiter ipop3d[3954]: error: cannot execute /usr/sbin/ipop3d: No such file or directoryCheck your logs, the original attack must have occured before this... The intruder damaged your system and deleted files before, including ipop3d.
Maybe not. What happen here was probably this: inetd.conf had an uncommented pop3d line pointing to /usr/sbin/ipop3d. Because of that, inetd was listening on port 110, but ipop3d was not installed. As far as I remember, some distributions like RedHat don't install pop3 in a default installation. So, this was probably a pre-attack TCP connect() port scan made by 203.197.38.247. Fernando _________________________________________________________________ Fernando Cardoso Phone: +351 21 7982186 Network Administrator Fax: +351 21 7982185 National Library E-mail: fernando () bn pt Portugal PGP ID: 28551CB8
Current thread:
- Break-in attempt from 203.197.38.247 Cronje Schalk (Aug 22)
- Re: Break-in attempt from 203.197.38.247 M ixter (Aug 23)
- Re: Break-in attempt from 203.197.38.247 Valdis Kletnieks (Aug 23)
- Re: Break-in attempt from 203.197.38.247 Nick Phillips (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Valdis Kletnieks (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Jason Storm (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Nick Phillips (Aug 24)
- <Possible follow-ups>
- Re: Break-in attempt from 203.197.38.247 Fernando Cardoso (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Richard Fein (Aug 25)
- Re: Break-in attempt from 203.197.38.247 Ian Eure (Aug 25)