heads up ... another imapd attack source
Phil Howard
This one originated from rock.careers.csulb.edu [134.139.149.100].
It was logged at Dec 14 16:59:56 CST.
Christian Nielsen
Yea... They are going on all over the net. The problem is that many people are
on the net putting up boxes that have the 'standard' OS install and not
patching the system or following bugtraq etc. They get into one and than
another and another.
There really needs to be a clearing house for companies to get together and
help track down these so called great hackers (script kiddies).
We had a breakin from gtecablemodem.com around midnight and couldn't get a
hold of anyone. We don't peer with them so our contact info was limited. I
even check out the noc page info sites and they (as well at GTE) were not
listed.
But, to this day, they still have an open relay on their cable modem network
that allows script kiddies from around the world to use them(1).
We are starting to put together information for nocs and now we need
numbers for network security in each company... Maybe NANSG (North American
Network Security Group). Than when we attend mettings, we can sign each others
PGP key so we know who we are dealing with.
Christian
(1) if anyone from GTE Cable would like to contact me, I would be glad to give
them the site they are using as a relay.
Bradley Reynolds
operation of end nodes? It was always my thought that network
operations covered the ether between end nodes.
I don't want to start a big debate, though I would prefer a public
answer by a clued party.
BR
Hui-Hui Hu
IMNSHO -
NANOG is not a NOC, and end-users are 99% of the time going
to be much happier if they call their upstreams directly.
Also many many people mistake NANOG for inet-access or
com-priv or cisco-nsp (myself included, often).
Back to normal life
-h
: As a general question, is this mailing list concerned with the
Roeland M.J. Meyer
non-http access, from *.EDU, with tcp_wrappers and my POP3 is wrapped up in
SSH. IMAPD was shot and buried(deleted) a long time ago.
At 03:13 PM 12/14/98 , Phil Howard wrote:
>Just a few minutes ago, another attempted IMAPD breakin.
>This one originated from rock.careers.csulb.edu [134.139.149.100].
>It was logged at Dec 14 16:59:56 CST.
>
___________________________________________________
Roeland M.J. Meyer -
e-mail: mailto:rme...@mhsc.com
Internet phone: hawk.lvrmr.mhsc.com
Personal web pages: http://staff.mhsc.com/~rmeyer
Company web-site: http://www.mhsc.com
___________________________________________________
Who is John Galt?
- "Atlas Shrugged" - Ayn Rand
Roeland M.J. Meyer
somewhere, including Phil Howard.
At 11:37 AM 12/14/98 , Bradley Reynolds wrote:
>As a general question, is this mailing list concerned with the
>operation of end nodes? It was always my thought that network
>operations covered the ether between end nodes.
>
>I don't want to start a big debate, though I would prefer a public
>answer by a clued party.
>
>BR
David P. Maynard
[Considering the importance of supporting servers to network operations, I
think this falls within bounds. More detailed discussions are probably
better placed on one of the noisier lists like inet-access.]
> Just a few minutes ago, another attempted IMAPD breakin.
> This one originated from rock.careers.csulb.edu [134.139.149.100].
> It was logged at Dec 14 16:59:56 CST.
We get 'hits' on some of our imap and telnet trap doors at least once per
day. The frequency has definitely increased since the apparent release of
worm-like scripts that are self propagating. One customer had an
unpatched imapd that was hit. It left an interesting footprint on the box
including various hidden directories and sniffer programs running. It
didn't do a very good job of hiding itself though and the box crashed
while it was installing itself.
Although shutting down the services is enough to stop the attack, we find
it handy to deploy trap doors using the TCP wrappers. Below is a
quick-n-dirty example that has served us well so far. (Tweak to suit your
platform.)
/etc/inetd.conf:
telnet stream tcp nowait nobody /usr/sbin/tcpd telnet.trap
/etc/hosts.allow:
telnet.trap: ALL: spawn (/bin/echo ALERT %A %d hit from %a | /bin/mail -s
"ALERT
%A %d hit from %a" trapperlist) &: DENY
You probably want to avoid any DNS resolution in the traps since that
could expose you to DNS hacks. As far as I know, the above rules are
secure, but I certainly welcome improvements. In the "good old days" a
reverse finger directed at the attacker could reveal some useful data.
These days, finger results are pretty much useless.
Most of the recent attacks look fairly automated. There is obviously one
kit floating around that probes the telnet and imap ports in a particular
order. Almost all of the attacks target registered name servers, although
mail servers are another favorite.
-dpm
--
David P. Maynard, Flametree Corporation
EMail: d...@flametree.com, Tel: +1 512 670 4090, Fax: +1 512 251 8308
--
Craig A. Huegen
who give out "wingate" to users. There is a certain cable modem
provider who has significant amounts of open wingates on their network,
capable of being used from the outside.
Nothing is being done to close these, though, until they're abused.
Scanning for them is considered a 'breach of privacy' (rather than a
security assessment) and unfortunately allows people day after day to
abuse other systems with a very difficult-to-trace open relay.
I've been told that newer versions of wingate handed out by these
providers have disabled open relaying from the outside; however,
users can (and do) play and can easily misconfigure them to allow
access from anywhere.
/cah
On Mon, Dec 14, 1998 at 04:53:30PM -0700, Christian Nielsen wrote:
==>But, to this day, they still have an open relay on their cable modem network
==>that allows script kiddies from around the world to use them(1).