nanog mailing list archives
Re: heads up ... another imapd attack source
From: "David P. Maynard" <dpm () flametree com>
Date: Mon, 14 Dec 1998 22:46:17 -0600
[Considering the importance of supporting servers to network operations, I think this falls within bounds. More detailed discussions are probably better placed on one of the noisier lists like inet-access.]
Just a few minutes ago, another attempted IMAPD breakin. This one originated from rock.careers.csulb.edu [134.139.149.100]. It was logged at Dec 14 16:59:56 CST.
We get 'hits' on some of our imap and telnet trap doors at least once per day. The frequency has definitely increased since the apparent release of worm-like scripts that are self propagating. One customer had an unpatched imapd that was hit. It left an interesting footprint on the box including various hidden directories and sniffer programs running. It didn't do a very good job of hiding itself though and the box crashed while it was installing itself. Although shutting down the services is enough to stop the attack, we find it handy to deploy trap doors using the TCP wrappers. Below is a quick-n-dirty example that has served us well so far. (Tweak to suit your platform.) /etc/inetd.conf: telnet stream tcp nowait nobody /usr/sbin/tcpd telnet.trap /etc/hosts.allow: telnet.trap: ALL: spawn (/bin/echo ALERT %A %d hit from %a | /bin/mail -s "ALERT %A %d hit from %a" trapperlist) &: DENY You probably want to avoid any DNS resolution in the traps since that could expose you to DNS hacks. As far as I know, the above rules are secure, but I certainly welcome improvements. In the "good old days" a reverse finger directed at the attacker could reveal some useful data. These days, finger results are pretty much useless. Most of the recent attacks look fairly automated. There is obviously one kit floating around that probes the telnet and imap ports in a particular order. Almost all of the attacks target registered name servers, although mail servers are another favorite. -dpm -- David P. Maynard, Flametree Corporation EMail: dpm () flametree com, Tel: +1 512 670 4090, Fax: +1 512 251 8308 --
Current thread:
- Re: heads up ... another imapd attack source, (continued)
- Re: heads up ... another imapd attack source Christian Nielsen (Dec 14)
- Re: heads up ... another imapd attack source Craig A. Huegen (Dec 14)
- Security clearinghouses (was Re: heads up ... another imapd etc.) John Bashinski (Dec 16)
- Question about NANOG charter (Re: heads up ... another imapd attack source) Bradley Reynolds (Dec 14)
- Re: Question about NANOG charter (Re: heads up ... another imapd attack Phil Howard (Dec 14)
- Re: Question about NANOG charter Hui-Hui Hu (Dec 14)
- Re: Question about NANOG charter (Re: heads up ... another imapd attack source) Roeland M.J. Meyer (Dec 14)
- Re: Question about NANOG charter (Re: heads up ... another John Hawkinson (Dec 15)
- Re: Question about NANOG charter (Re: heads up ... another Jeff Aitken (Dec 16)
- Re: heads up ... another imapd attack source Christian Nielsen (Dec 14)
- Re: heads up ... another imapd attack source Roeland M.J. Meyer (Dec 14)
- Re: heads up ... another imapd attack source David P. Maynard (Dec 14)
- Message not available
- Re: heads up ... another imapd attack source Roeland M.J. Meyer (Dec 15)
- Re: heads up ... another imapd attack source Dave Crocker (Dec 16)
- Re: heads up ... another imapd attack source Roeland M.J. Meyer (Dec 15)