From owner-freebsd-questions  Tue Apr 20 23:21:44 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from cygnus.rush.net (cygnus.rush.net [209.45.245.133])
	by hub.freebsd.org (Postfix) with ESMTP id 9A2551515F
	for <questions@freebsd.org>; Tue, 20 Apr 1999 23:21:42 -0700 (PDT)
	(envelope-from bright@rush.net)
Received: from localhost (bright@localhost)
	by cygnus.rush.net (8.9.3/8.9.3) with SMTP id BAA14560;
	Wed, 21 Apr 1999 01:35:11 -0500 (EST)
Date: Wed, 21 Apr 1999 01:35:07 -0500 (EST)
From: Alfred Perlstein <bright@rush.net>
To: kelvin Liu <kelvin@taipingcarpets.com>
Cc: questions@freebsd.org
Subject: Re: popper error
In-Reply-To: <371D45BA.B39143E3@taipingcarpets.com>
Message-ID: <Pine.BSF.3.96.990421012944.11384g-100000@cygnus.rush.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, 21 Apr 1999, kelvin Liu wrote:

> Dear Alfred,
> 
> When I read my freebsd server log file "messages". I see some error that
> I don't know how to fix. Could you help me? The message is
> 
> popper [9064] : @[203.101.3.38] -Err too many argurments for the user
> command
> popper [9064] : @[203.101.3.38] -Err Eof received
>  :
>  :
> popper [9041] :@[203.90.229.143] : -Err too few argurments for the auth
> command.
> popper [9041] :karensun@[203.90.229.143] -Err Unknow command "xsender"

Two things may be happeneing:

1) several months ago there was an exploit for the program 
"popper" that allowed remote people to exploit a buffer overrun
allowing them to gain root access to your machine

2) you have a user that is experimenting with accessing your
pop3 server by hand, you can do test this out yourself by 
typing "telnet localhost pop3" this will connect you to
your own pop3 port where you can try to converse with the server.

What i suggesting doing is seeing if you have a user on your system
called "karensun" perhaps or track down the IP address 203.90.229.143
and speak to the user that is connecting to your machines and causing
this error.

They may just be inquisitive, or they may be trying to exploit your machines.

I lean towards suspecting '2' because this doesn't look like the typical
pattern that would show up if you were under attack.

Lastly, i'm not all that familiar with the pop3 protocol, perhaps they
have a non-standard client that is misbehaving.

In any case it's worth investigating.

-Alfred


> 
> 
> Thanks
> 
> Regards,
> Kelvin
> 

-Alfred 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message