Re: POP3 (110) Port Scans, New Exploit?

[cmefford () AVWASHINGTON COM (Chip Mefford)]

I too had this happen a couple of weeks ago,

The offending hosts were mapped to the Government of
Ontario and some dial-up site in the netherlands.

I have also seen more than just a few like this:

May  8 20:17:25 video1 ipop3d[28058]: Connection broken while reading line
user=??? host=UNKNOWN

This is a new thing. Never saw these log entries before this
month.

I responded by disallowing access to pop3 from unknowns
via inet services hosts.allow and hosts.deny.

Maybe I should have reported an incident?

On Mon, 29 May 2000, Crist J. Clark wrote:

> Over the weekend, we had our address space scanned for POP3 services
> (port 110). The hosts involved were,
>
>   206.176.81.2
>   206.182.235.227
>   207.233.243.234 (host.domain.com)
>
> I have attempted to notify resposbible parties for each.
>
> We do have a POP server, and it did record what looks like a dropped
> login attempt,
>
> May 28 04:14:50 newmail ipop3d[17145]: Command stream end of file while reading line user=??? host=[206.182.235.227]
>
> But to the best of my estimates, there were no problems. Nothing in
> the logs, and my Tripwire on the box did not go off.
>
> Any ideas why a sudden interest in POP3? I have not heard of any new
> "remote" exploits recently (although expoits where a valid user can
> get a shell have been demonstrated for some POPs and IMAPs recently).
> --
> Crist J. Clark                              cjc () scitec com
> SciTec, Inc                             (609)921-3892 x252