RE: pop3 exploit????

[Simon Thornton <simon.thornton () swift com>]

Hi Leon,

The most likely explanation is that the service is 'wrapped' using something
like TCPD/XINETD and has an access list that excludes remote connections (or
at least yours). The wrapper validates the access list first and if denied,
drops the connection, the actual service daemon is not launched in this
case, hence no banner.  Some sysadmins also "booby-trap" the deny phase so
that it gathers additional info about the system connecting (running finger,
dig, rusers, queso and mails the results to them).

If you have access to a Linux box, have a look in /etc/inetd.conf and see if
you have any tcpd entries similar to the following:

        ftp   stream  tcp     nowait  root    /usr/sbin/tcpd  wu.ftpd -a

The rules are held in /etc/hosts.allow and /etc/hosts.deny

xinetd, which is a nice replacement for inetd, incorporates the
functionality of tcpd into the daemon and the access rules into
/etc/xinetd.conf.

There isn't anything you can "do" as such, service wrapping is designed as
another layer in the security model to keep out unwanted users and provide
an audit trail for service exection.


Rgds,

Simon

-----Original Message-----
From: leon [mailto:leon () inyc com]
Sent: Tuesday, October 16, 2001 21:20
To: theog () yoda dnsq org; 'John Thornton'
Cc: vuln-dev () securityfocus com
Subject: RE: pop3 exploit????

Ok.  I have to apologize to everyone.  I was being a bonehead (what else
is new?).  I was using super scanner and it would report 110 was open
and guess it was pop3.  But riddle me this batman(and woman) why is it
when I try to telnet to the offending ip's that I connect but get no
banner and after about 15 seconds it tells me connection lost.