Security Incidents mailing list archives
Re: POP3 (110) Port Scans, New Exploit?
From: cmefford () AVWASHINGTON COM (Chip Mefford)
Date: Thu, 1 Jun 2000 10:58:31 -0400
I too had this happen a couple of weeks ago, The offending hosts were mapped to the Government of Ontario and some dial-up site in the netherlands. I have also seen more than just a few like this: May 8 20:17:25 video1 ipop3d[28058]: Connection broken while reading line user=??? host=UNKNOWN This is a new thing. Never saw these log entries before this month. I responded by disallowing access to pop3 from unknowns via inet services hosts.allow and hosts.deny. Maybe I should have reported an incident? On Mon, 29 May 2000, Crist J. Clark wrote:
Over the weekend, we had our address space scanned for POP3 services (port 110). The hosts involved were, 206.176.81.2 206.182.235.227 207.233.243.234 (host.domain.com) I have attempted to notify resposbible parties for each. We do have a POP server, and it did record what looks like a dropped login attempt, May 28 04:14:50 newmail ipop3d[17145]: Command stream end of file while reading line user=??? host=[206.182.235.227] But to the best of my estimates, there were no problems. Nothing in the logs, and my Tripwire on the box did not go off. Any ideas why a sudden interest in POP3? I have not heard of any new "remote" exploits recently (although expoits where a valid user can get a shell have been demonstrated for some POPs and IMAPs recently). -- Crist J. Clark cjc () scitec com SciTec, Inc (609)921-3892 x252
Current thread:
- POP3 (110) Port Scans, New Exploit? Crist J. Clark (May 29)
- linuxconf scans from KR Infrastructure Dept. (Jun 01)
- Re: POP3 (110) Port Scans, New Exploit? Chip Mefford (Jun 01)