[Considering the importance of supporting servers to network operations, I think this falls within bounds. More detailed discussions are probably better placed on one of the noisier lists like inet-access.]
Just a few minutes ago, another attempted IMAPD breakin. This one originated from rock.careers.csulb.edu [134.139.149.100]. It was logged at Dec 14 16:59:56 CST.
We get 'hits' on some of our imap and telnet trap doors at least once per day. The frequency has definitely increased since the apparent release of worm-like scripts that are self propagating. One customer had an unpatched imapd that was hit. It left an interesting footprint on the box including various hidden directories and sniffer programs running. It didn't do a very good job of hiding itself though and the box crashed while it was installing itself. Although shutting down the services is enough to stop the attack, we find it handy to deploy trap doors using the TCP wrappers. Below is a quick-n-dirty example that has served us well so far. (Tweak to suit your platform.) /etc/inetd.conf: telnet stream tcp nowait nobody /usr/sbin/tcpd telnet.trap /etc/hosts.allow: telnet.trap: ALL: spawn (/bin/echo ALERT %A %d hit from %a | /bin/mail -s "ALERT %A %d hit from %a" trapperlist) &: DENY You probably want to avoid any DNS resolution in the traps since that could expose you to DNS hacks. As far as I know, the above rules are secure, but I certainly welcome improvements. In the "good old days" a reverse finger directed at the attacker could reveal some useful data. These days, finger results are pretty much useless. Most of the recent attacks look fairly automated. There is obviously one kit floating around that probes the telnet and imap ports in a particular order. Almost all of the attacks target registered name servers, although mail servers are another favorite. -dpm -- David P. Maynard, Flametree Corporation EMail: dpm@flametree.com, Tel: +1 512 670 4090, Fax: +1 512 251 8308 --