Vulnerability Development mailing list archives

RE: pop3 exploit????

From: "leon" <leon () inyc com>
Date: Wed, 17 Oct 2001 20:46:59 -0400

EVERY SINGLE ONE??????? We are talking about a ton of ips all from
different class A's.  I refuse to believe that.

Thanks anyway,

Cheers,

Leon

-----Original Message-----
From: Kaneda Akira [mailto:k_aneda () yahoo com] 
Sent: Wednesday, October 17, 2001 5:49 AM
To: leon
Cc: theog () yoda dnsq org; vuln-dev () securityfocus com
Subject: RE: pop3 exploit????

Try initiating a pop3 session instead, that server may have the banner
turned off for security reasons *grin*

---
Kaneda Akira
ICQ#49107701
Email: k_aneda () yahoo com
--
That's why we spend so much time trying to understand our own
motivations and those of others.  That's what makes life so
interesting.
    -- Kaji, Evangelion Ep 18

On Tue, 16 Oct 2001, leon wrote:

Date: Tue, 16 Oct 2001 15:20:18 -0400
From: leon <leon () inyc com>
To: theog () yoda dnsq org, 'John Thornton' <jthornton () hackersdigest com>
Cc: vuln-dev () securityfocus com
Subject: RE: pop3 exploit????

Ok.  I have to apologize to everyone.  I was being a bonehead (what

else

is new?).  I was using super scanner and it would report 110 was open
and guess it was pop3.  But riddle me this batman(and woman) why is it
when I try to telnet to the offending ip's that I connect but get no
banner and after about 15 seconds it tells me connection lost.

What does the group suggest I do now????

-----Original Message-----
From: theog () yoda dnsq org [mailto:theog () yoda dnsq org] 
Sent: Tuesday, October 16, 2001 7:12 PM
To: John Thornton
Cc: leon; vuln-dev () securityfocus com
Subject: Re: pop3 exploit????


I agree with most of what's written below here are some comments:
I would run some kind of IDS software on the scanned machines just to
know
if these are just scans or is someone actually trying to hack  snort
from
www.snort.org along with the arachNIDS ruleset from www.whitehats.com
should do it...

If indeed the attacker is just playing around , secure your systems as
much as you can ( I  would try attacking my own systems see if there

is

indeed somewhere they can strike) .

I don't know what the effect of sending an e-mail to abuse () ISP net

will

be
but I assume it wont stop the attacks, what more , the attacker might

be

using Trojans on innocent people's machines....

If the attacker is a blackhat , you probably don't want to try and

scan

him
or let him know in anyway you are trying to track him down , the
response
will probably be (assuming he's already been in one of your

systems...)

attempts to try and erase any record that might turn his
identity...which
might get quite ugly, and very painful for you. even so called "script
kiddies" with downloaded software from a "tripod hosted site" can do
real
damage , see http://grc.com/dos/grcdos.htm so think before you act...

Good luck
TheOg

 On Mon, 15 Oct 2001, John Thornton wrote:

I constantly get scanned for the usual services (21, 23, 80,
12345, 27374, etc, etc) and when I scan these systems back the

only


As we all do who takes the time to see who is hitting our boxes.

thing they have in common (as far as running services) is 110

pop3.


One thing to look at is what pop3 daemon the server is running and

what

version it is. I would check securityfocus.com and
http://icat.nist.gov/icat.cfm ( The icat metabase). More often then

not the

security hole used to exploit the other boxes ispublic. I would have

to

argue that if it was a unknown pop3 daemon exploit they would most

likely be

scanning your box for the same vulnerable service to exploit. So if

the

address you have are blowing pass 110 and looking at ports like

12345,

27374 and other low level trojan backdoor attacks I would lean more

towards

a coincidence that they have port 110 open.

Now lets say they are all running a pop3 daemon like qpop ( By the

way

could not connect to any of those ip address you posted on port 110

and

you can't find any known security holes for that version of qpop

then

in my

mind it would be worth it to grab that socket programming book and

write a

little server that listens on port 110 and displays the same banner

as

the

rest of the attacking servers. Then sniff to see just what in the

hell

it is

doing.

With that said, one of the things that I do as a Network

Administrator

is a

nslookup on each address that scans my network. This will tell you a

lot

about who is attacking you.

AC9699EE.ipt.aol.com
cha213245047041.chello.fr
ua-213-112-62-68.cust.bredbandsbolaget.se
24-29-125-76.nyc.rr.com
pD4B894B3.dip.t-dialin.net
500.POS2-0.SR3.SEA9.ALTER.NET
p13-0.iplvin1-br1.bbnplanet.net

All of the address that scanned you ( The ones you sent ) belong to

isp of

some sort. That in it self should tell you that these are low level
attackers. Most likely these ip address belonged to the attackers

home

computer. In that case what you should do (Sadly not practice enough

by the

Network Admin Community) is to report them to abuse () isp net and

attach

the

logs of the scan (Make sure you include your time zone, source and
destination ports used) and let them take care of it. Most likely

you

and a

few dozen Network Administrators will report the same address and

have

Zero

Cool's service taken away. I have to say, there is nothing like

drinking a

cup a coffee in the morning when checking your email to read that

you

played

a role in terminating one less script kids isp. I digress.

Now, if these address translated into something like bob.com,

ford.com,

etc... then that means you might be on to a real live hacker. These

are

_always_ fun to help track down. In that case I would call the

network

admin

on the phone, since we would assume the box is owned by a hacker and

most

likely the network admin's mail is being read.

like this.  I have no clue if these ips are static or dynamic.

This

is


Again, a nslookup will tell you a lot, such as if the attacker has a

static

or dynamic address. These are all dynamic ip address.

To sum everything up. Could this be some sort of sophisticated

attack

of

some unreported exploit to a pop3 daemon? Hardly. It looks to me

like

script

kids and there 'l33t' tools from some 'Hacking' site hosted by

tripod.

The

best thing you can do as a Network Administrator is to report these

to

abuse

of the isp. However, if the anti-terrorism bill is passed (and it

looks that

way) I would urge you not to. I know I wont. Getting script kids

service

turn off is one thing, having them sent to jail is another...

John Thornton  -  jthornton () hackersdigest com
Editor in Chief
Hackers Digest -  www.hackersdigest.com


     H  A  C  K  E  R  '  S    D  I  G  E  S  T
--------------------------------------------------
Issue 2 comes out November 1st. Will you get it?
--------------------------------------------------
                www.hackersdigest.com

--

Current thread:

pop3 exploit???? leon (Oct 14)
- Re: pop3 exploit???? Kaneda Akira (Oct 14)
- Re: pop3 exploit???? John Thornton (Oct 15)
  - Re: pop3 exploit???? theog (Oct 17)
    - RE: pop3 exploit???? leon (Oct 17)
    - Re: pop3 exploit???? Brian O'Berry (Oct 17)
    - Re: pop3 exploit???? Edward Wong Hau Pepelu Tivrusky the 4th (Oct 17)
    - RE: pop3 exploit???? Robert McGinnis (Oct 17)
    - RE: pop3 exploit???? Kaneda Akira (Oct 17)
    - RE: pop3 exploit???? leon (Oct 17)
    - RE: pop3 exploit???? Simon Thornton (Oct 18)
- <Possible follow-ups>
- Re: pop3 exploit???? dan . ellis (Oct 15)