[prev in list] [next in list] [prev in thread] [next in thread]
List: firewall-wizards
Subject: Re: finger/IMAP scans
From: davidg () genmagic ! com (David Gillett)
Date: 1999-03-24 19:21:05
[Download RAW message or body]
On 24 Mar 99, at 22:57, Darren Reed wrote:
> In some email I received from David Gillett, sie wrote:
> >
> > On 22 Mar 99, at 9:59, Neil Ratzlaff wrote:
> >
> > > I keep seeing people doing combination finger/IMAP scans on our
> > > primary and secondary nameservers. The number of sources is
> > > increasing. (And the firewall keeps blocking them.) The ratio is
> > > usually about two fingers followed by an IMAP, they wil try several
> > > dozen times, and then they quit. Does anyone recognize this as a
> > > meaningful pattern? If so, can someone tell me what they think they
> > > are doing? Assuming there is thought involved, of course.
> >
> > A common pattern we see includes two tries each at IMAP, finger, POP,
> > telnet, mountd, and sometimes a couple of others. Every time we've
> > tracked it back, we've found someone's Linux box that has been cracked.
>
> Have you (or others) seen many packets coming from the ident port ?
We see many coming *to* the ident port (113) -- and occasionally to
112 or 114 -- but we ignore them. One of our services polls scattered
third-party POP servers, and a number of these try to respond to port
113 to authenticate the connection. [We have no reports that our
failure to honour such requests is interfering with the POP traffic....]
David G
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic