Re: pop3 exploit????

["John Thornton" <jthornton () hackersdigest com>]

> I constantly get scanned for the usual services (21, 23, 80,
> 12345, 27374, etc, etc) and when I scan these systems back the only

As we all do who takes the time to see who is hitting our boxes.

> thing they have in common (as far as running services) is 110 pop3.

One thing to look at is what pop3 daemon the server is running and what
version it is. I would check securityfocus.com and
http://icat.nist.gov/icat.cfm ( The icat metabase). More often then not the
security hole used to exploit the other boxes ispublic. I would have to
argue that if it was a unknown pop3 daemon exploit they would most likely be
scanning your box for the same vulnerable service to exploit. So if the
address you have are blowing pass 110 and looking at ports like  12345,
27374 and other low level trojan backdoor attacks I would lean more towards
a coincidence that they have port 110 open.

Now lets say they are all running a pop3 daemon like qpop ( By the way I
could not connect to any of those ip address you posted on port 110 ) and
you can't find any known security holes for that version of qpop then in my
mind it would be worth it to grab that socket programming book and write a
little server that listens on port 110 and displays the same banner as the
rest of the attacking servers. Then sniff to see just what in the hell it is
doing.

With that said, one of the things that I do as a Network Administrator is a
nslookup on each address that scans my network. This will tell you a lot
about who is attacking you.

AC9699EE.ipt.aol.com
cha213245047041.chello.fr
ua-213-112-62-68.cust.bredbandsbolaget.se
24-29-125-76.nyc.rr.com
pD4B894B3.dip.t-dialin.net
500.POS2-0.SR3.SEA9.ALTER.NET
p13-0.iplvin1-br1.bbnplanet.net

All of the address that scanned you ( The ones you sent ) belong to a isp of
some sort. That in it self should tell you that these are low level
attackers. Most likely these ip address belonged to the attackers home
computer. In that case what you should do (Sadly not practice enough by the
Network Admin Community) is to report them to abuse () isp net and attach the
logs of the scan (Make sure you include your time zone, source and
destination ports used) and let them take care of it. Most likely you and a
few dozen Network Administrators will report the same address and have Zero
Cool's service taken away. I have to say, there is nothing like drinking a
cup a coffee in the morning when checking your email to read that you played
a role in terminating one less script kids isp. I digress.

Now, if these address translated into something like bob.com, ford.com,
etc... then that means you might be on to a real live hacker. These are
_always_ fun to help track down. In that case I would call the network admin
on the phone, since we would assume the box is owned by a hacker and most
likely the network admin's mail is being read.

> like this.  I have no clue if these ips are static or dynamic.  This is

Again, a nslookup will tell you a lot, such as if the attacker has a static
or dynamic address. These are all dynamic ip address.

To sum everything up. Could this be some sort of sophisticated attack of
some unreported exploit to a pop3 daemon? Hardly. It looks to me like script
kids and there 'l33t' tools from some 'Hacking' site hosted by tripod. The
best thing you can do as a Network Administrator is to report these to abuse
of the isp. However, if the anti-terrorism bill is passed (and it looks that
way) I would urge you not to. I know I wont. Getting script kids service
turn off is one thing, having them sent to jail is another...

John Thornton  -  jthornton () hackersdigest com
Editor in Chief
Hackers Digest -  www.hackersdigest.com


     H  A  C  K  E  R  '  S    D  I  G  E  S  T
--------------------------------------------------
Issue 2 comes out November 1st. Will you get it?
--------------------------------------------------
                www.hackersdigest.com