heads up ... another imapd attack source

David P. Maynard dpm at flametree.com
Tue Dec 15 04:46:17 UTC 1998


[Considering the importance of supporting servers to network operations, I 
think this falls within bounds.  More detailed discussions are probably 
better placed on one of the noisier lists like inet-access.]

> Just a few minutes ago, another attempted IMAPD breakin.
> This one originated from rock.careers.csulb.edu [134.139.149.100].
> It was logged at Dec 14 16:59:56 CST.

We get 'hits' on some of our imap and telnet trap doors at least once per 
day.  The frequency has definitely increased since the apparent release of 
worm-like scripts that are self propagating.  One customer had an 
unpatched imapd that was hit.  It left an interesting footprint on the box 
including various hidden directories and sniffer programs running.  It 
didn't do a very good job of hiding itself though and the box crashed 
while it was installing itself.

Although shutting down the services is enough to stop the attack, we find 
it handy to deploy trap doors using the TCP wrappers.  Below is a 
quick-n-dirty example that has served us well so far.  (Tweak to suit your 
platform.)

/etc/inetd.conf:
telnet  stream  tcp     nowait  nobody  /usr/sbin/tcpd  telnet.trap

/etc/hosts.allow:
telnet.trap: ALL: spawn (/bin/echo ALERT %A %d hit from %a | /bin/mail -s 
"ALERT
 %A %d hit from %a" trapperlist) &: DENY

You probably want to avoid any DNS resolution in the traps since that 
could expose you to DNS hacks.  As far as I know, the above rules are 
secure, but I certainly welcome improvements.  In the "good old days" a 
reverse finger directed at the attacker could reveal some useful data.  
These days, finger results are pretty much useless.

Most of the recent attacks look fairly automated.  There is obviously one 
kit floating around that probes the telnet and imap ports in a particular 
order.  Almost all of the attacks target registered name servers, although 
mail servers are another favorite.

-dpm

-- 
 David P. Maynard, Flametree Corporation
 EMail: dpm at flametree.com,  Tel: +1 512 670 4090,  Fax: +1 512 251 8308
--





More information about the NANOG mailing list