[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-wizards
Subject:    Re: finger/IMAP scans
From:       davidg () genmagic ! com (David Gillett)
Date:       1999-03-24 19:21:05
[Download RAW message or body]

On 24 Mar 99, at 22:57, Darren Reed wrote:

> In some email I received from David Gillett, sie wrote:
> > 
> > On 22 Mar 99, at 9:59, Neil Ratzlaff wrote:
> > 
> > > I keep seeing people doing combination finger/IMAP scans on our
> > > primary and secondary nameservers.  The number of sources is
> > > increasing.  (And the firewall keeps blocking them.) The ratio is
> > > usually about two fingers followed by an IMAP, they wil try several
> > > dozen times, and then they quit. Does anyone recognize this as a
> > > meaningful pattern?  If so, can someone tell me what they think they
> > > are doing?  Assuming there is thought involved, of course. 
> > 
> >   A common pattern we see includes two tries each at IMAP, finger, POP, 
> > telnet, mountd, and sometimes a couple of others.  Every time we've
> > tracked it back, we've found someone's Linux box that has been cracked.
> 
> Have you (or others) seen many packets coming from the ident port ?

  We see many coming *to* the ident port (113) -- and occasionally to 
112 or 114 -- but we ignore them.  One of our services polls scattered 
third-party POP servers, and a number of these try to respond to port 
113 to authenticate the connection.  [We have no reports that our 
failure to honour such requests is interfering with the POP traffic....]


David G

[prev in list] [next in list] [prev in thread] [next in thread]