Date: Mon, 1 Jun 1998 17:44:33 -0500 From: "J.A. Terranson" <sysadmin@mfn.org> To: "'Tristy Granger'" <tgranger@McMaster.CA> Cc: "'rmras@primary.gtu.com'" <rmras@primary.gtu.com> Subject: (Admittedly Premature) Exploit (?) Warning. Message-ID: <01BD8D84.F10618B0@w3svcs.mfn.org>
next in thread | raw e-mail | index | archive | help
While I realize that this issue may not yet be "ripe", as I the folks involved (myself and at least three other sites) have not yet firmly established just *exactly* what is going on here, but... There appears to be some kind of exploit making the rounds that utilizes TCP packets from port "0" (yes, that's *zero*) to the IMAP port, 143. These packet traces are right now available only as historical log entries that are *loosely* associated with 2 successful "root" attacks against IMAP enabled servers, an unsuccessful attack against another (ours), and the possible compromise of another. In short, I dont know a lot, other than in the course of reviewing my daily logs, I saw a couple of freaky packets (above) addressed to my nameservers (both of them). They were rejected and logged at the routers, however, as a common courtesy, we notified the admin of the "sending" machine that they had a sick box. As it developed, this person had recieved other emails regarding this from other admins, 2 of which had suffered the successful attacks mentioned above - all of us seeing the originating machine as the same box. It is unknown if the source address was spoofed. Basically, I think this is just a "common-cause" warning to look out for weird packets of this nature, and to take notice if you see any. Rather than keep a running blow-by-blow going on the various lists, please address anything regarding this to me directly... Thanks J.A. Terranson sysadmin@mfn.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01BD8D84.F10618B0>