heads up ... another imapd attack source
Just a few minutes ago, another attempted IMAPD breakin. This one originated from rock.careers.csulb.edu [134.139.149.100]. It was logged at Dec 14 16:59:56 CST.
As a general question, is this mailing list concerned with the operation of end nodes? It was always my thought that network operations covered the ether between end nodes. I don't want to start a big debate, though I would prefer a public answer by a clued party. BR On Mon, 14 Dec 1998, Phil Howard wrote:
Just a few minutes ago, another attempted IMAPD breakin. This one originated from rock.careers.csulb.edu [134.139.149.100]. It was logged at Dec 14 16:59:56 CST.
Bradley Reynolds asks a valid question:
As a general question, is this mailing list concerned with the operation of end nodes? It was always my thought that network operations covered the ether between end nodes.
I don't want to start a big debate, though I would prefer a public answer by a clued party.
Personally, I see any form of attack a (potential) network issue. Solutions, or workarounds, or whatever, may involve doing things at the network level. For example I posted the IP address just in case someone decides it is their policy to block things at the network level once a report comes in. I know I would consider doing that if there was a period of possible attack against something my servers were not prepared to handle (to give me time to fix the servers). OTOH, the servers should have been fixed on THIS matter for quite some time now, at least on any decently operated network. Still, network operators may wish to temporarily protect downstream customers for a finite time, anyway. That said, if it's still concluded to not be a network operation issue then I won't post these here. It's easier for me to not do so. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
IMNSHO - NANOG is not a NOC, and end-users are 99% of the time going to be much happier if they call their upstreams directly. Also many many people mistake NANOG for inet-access or com-priv or cisco-nsp (myself included, often). Back to normal life -h : As a general question, is this mailing list concerned with the : operation of end nodes? It was always my thought that network : operations covered the ether between end nodes. : I don't want to start a big debate, though I would prefer a public : answer by a clued party.
Just about everyone here is running multiple *NIX servers on a *.NET somewhere, including Phil Howard. At 11:37 AM 12/14/98 , Bradley Reynolds wrote:
As a general question, is this mailing list concerned with the operation of end nodes? It was always my thought that network operations covered the ether between end nodes.
I don't want to start a big debate, though I would prefer a public answer by a clued party.
BR
On Mon, 14 Dec 1998, Phil Howard wrote:
Just a few minutes ago, another attempted IMAPD breakin. This one originated from rock.careers.csulb.edu [134.139.149.100]. It was logged at Dec 14 16:59:56 CST.
___________________________________________________ Roeland M.J. Meyer - e-mail: mailto:rmeyer@mhsc.com Internet phone: hawk.lvrmr.mhsc.com Personal web pages: http://staff.mhsc.com/~rmeyer Company web-site: http://www.mhsc.com ___________________________________________________ Who is John Galt? - "Atlas Shrugged" - Ayn Rand
Just about everyone here is running multiple *NIX servers on a *.NET somewhere, including Phil Howard.
This is distinctly not the point. There are mailing lists for people who manage networks. There are mailing lists for people who manage endsystems. NANOG is one of the former, not the latter. Yes, most people with networks have endsystems. Yes, most people with endsystems have networks. This doesn't mean that endsystem issues belong on network-management mailing lists. Given that there are a lot more endsystem administrators than network operators (at least, for North American Networks that are Large, which is what NANOG is for), it makes sense for endsystem issues to be addressed in an endsystem-specific forum, so that all the endsystem administrators can find out. I concur strongly with Bradley's initial understanding, so far as to be scared that the question was even asked and entertained, beause it shows how far off the mark a lot of people's interpretations are. Doubtless those interpretations are off the mark because of the level of low-grade traffic to the mailing list in the past 2 years has been extremely high, and it's hard to reset expectations. No question, I and my colleages find ourselves engaging in an uphill battle. Nevertheless, we shall not give up and shall strongly perservere. The charter of the list was written to avoid being too specific and to not preculude useful network-relevent discussion, because sometimes this kind of thing is appropriate, but trying to cleanly delineate it is harder than most tasks in the life of a network engineer. As a parting shot, messages where the sum of the quoted text and the signature exceed the body are generally considered poor form. This is, of course, not a good excuse to introduce meaningless drivel into your communications. --jhawk
At 11:37 AM 12/14/98 , Bradley Reynolds wrote:
As a general question, is this mailing list concerned with the operation of end nodes? It was always my thought that network operations covered the ether between end nodes.
I don't want to start a big debate, though I would prefer a public answer by a clued party.
BR
On Mon, 14 Dec 1998, Phil Howard wrote:
Just a few minutes ago, another attempted IMAPD breakin. This one originated from rock.careers.csulb.edu [134.139.149.100]. It was logged at Dec 14 16:59:56 CST.
John Hawkinson writes:
There are mailing lists for people who manage networks. There are mailing lists for people who manage endsystems.
NANOG is one of the former, not the latter.
Yes, most people with networks have endsystems. Yes, most people with endsystems have networks.
This doesn't mean that endsystem issues belong on network-management mailing lists.
Nor does it mean that endsystem information might not occasionally belong on the NANOG mailing list. Stopping and/or tracing ongoing network attacks might well involve "issues that require cooperation among network service providers", which is mentioned directly in the list charter. Maybe this particular issue (IMAP exploit) qualifies, maybe not... Of course, it obviously failed test #4 on the NANOG pre-posting guide. ;-) --Jeff
On Mon, 14 Dec 1998, Phil Howard wrote:
Just a few minutes ago, another attempted IMAPD breakin. This one originated from rock.careers.csulb.edu [134.139.149.100]. It was logged at Dec 14 16:59:56 CST.
Yea... They are going on all over the net. The problem is that many people are on the net putting up boxes that have the 'standard' OS install and not patching the system or following bugtraq etc. They get into one and than another and another. There really needs to be a clearing house for companies to get together and help track down these so called great hackers (script kiddies). We had a breakin from gtecablemodem.com around midnight and couldn't get a hold of anyone. We don't peer with them so our contact info was limited. I even check out the noc page info sites and they (as well at GTE) were not listed. But, to this day, they still have an open relay on their cable modem network that allows script kiddies from around the world to use them(1). We are starting to put together information for nocs and now we need numbers for network security in each company... Maybe NANSG (North American Network Security Group). Than when we attend mettings, we can sign each others PGP key so we know who we are dealing with. Christian (1) if anyone from GTE Cable would like to contact me, I would be glad to give them the site they are using as a relay.
You will find this same situation with most cable modem providers who give out "wingate" to users. There is a certain cable modem provider who has significant amounts of open wingates on their network, capable of being used from the outside. Nothing is being done to close these, though, until they're abused. Scanning for them is considered a 'breach of privacy' (rather than a security assessment) and unfortunately allows people day after day to abuse other systems with a very difficult-to-trace open relay. I've been told that newer versions of wingate handed out by these providers have disabled open relaying from the outside; however, users can (and do) play and can easily misconfigure them to allow access from anywhere. /cah On Mon, Dec 14, 1998 at 04:53:30PM -0700, Christian Nielsen wrote: ==>But, to this day, they still have an open relay on their cable modem network ==>that allows script kiddies from around the world to use them(1).
There really needs to be a clearing house for companies to get together and help track down these so called great hackers (script kiddies).
The Forum of Incident Response and Security Teams (FIRST) does essentially that. Its Web site is at "http://www.first.org". The Computer Emergency Response Team / Coordination Center (CERT/CC) tries to maintain statistics, and can often provide introductions to the people you need to talk to. Its Web site is at "http://www.cert.org" Somebody (IOPS?) was starting an ISP-specific group, which had many of the big players on it. I don't remember any direct contact information, and am not sure that I can give it out to the public anyway. -- John B.
FYI: Not that I sell shell accounts anyway, but I additionally block all non-http access, from *.EDU, with tcp_wrappers and my POP3 is wrapped up in SSH. IMAPD was shot and buried(deleted) a long time ago. At 03:13 PM 12/14/98 , Phil Howard wrote:
Just a few minutes ago, another attempted IMAPD breakin. This one originated from rock.careers.csulb.edu [134.139.149.100]. It was logged at Dec 14 16:59:56 CST.
___________________________________________________ Roeland M.J. Meyer - e-mail: mailto:rmeyer@mhsc.com Internet phone: hawk.lvrmr.mhsc.com Personal web pages: http://staff.mhsc.com/~rmeyer Company web-site: http://www.mhsc.com ___________________________________________________ Who is John Galt? - "Atlas Shrugged" - Ayn Rand
[Considering the importance of supporting servers to network operations, I think this falls within bounds. More detailed discussions are probably better placed on one of the noisier lists like inet-access.]
Just a few minutes ago, another attempted IMAPD breakin. This one originated from rock.careers.csulb.edu [134.139.149.100]. It was logged at Dec 14 16:59:56 CST.
We get 'hits' on some of our imap and telnet trap doors at least once per day. The frequency has definitely increased since the apparent release of worm-like scripts that are self propagating. One customer had an unpatched imapd that was hit. It left an interesting footprint on the box including various hidden directories and sniffer programs running. It didn't do a very good job of hiding itself though and the box crashed while it was installing itself. Although shutting down the services is enough to stop the attack, we find it handy to deploy trap doors using the TCP wrappers. Below is a quick-n-dirty example that has served us well so far. (Tweak to suit your platform.) /etc/inetd.conf: telnet stream tcp nowait nobody /usr/sbin/tcpd telnet.trap /etc/hosts.allow: telnet.trap: ALL: spawn (/bin/echo ALERT %A %d hit from %a | /bin/mail -s "ALERT %A %d hit from %a" trapperlist) &: DENY You probably want to avoid any DNS resolution in the traps since that could expose you to DNS hacks. As far as I know, the above rules are secure, but I certainly welcome improvements. In the "good old days" a reverse finger directed at the attacker could reveal some useful data. These days, finger results are pretty much useless. Most of the recent attacks look fairly automated. There is obviously one kit floating around that probes the telnet and imap ports in a particular order. Almost all of the attacks target registered name servers, although mail servers are another favorite. -dpm -- David P. Maynard, Flametree Corporation EMail: dpm@flametree.com, Tel: +1 512 670 4090, Fax: +1 512 251 8308 --
participants (10)
-
Bradley Reynolds
-
Christian Nielsen
-
Craig A. Huegen
-
David P. Maynard
-
hhui@arcfour.com
-
Jeff Aitken
-
John Bashinski
-
John Hawkinson
-
Phil Howard
-
Roeland M.J. Meyer