North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Attack/DoS
Don't know if it is just me. But over the last 10 hours we have been seeing attacks on port 0 from port 0 (both tcp and udp) on several clients networks. I have also seen the same attack on port udp 53(DNS). Anyone have any information on this? Todd R. Stroup Fiber Network Solutions, Inc. > ---------- Forwarded message ---------- > Date: Mon, 1 Jun 1998 21:58:17 -0500 > From: "J.A. Terranson" <[email protected]> > To: [email protected] > Subject: (Admittedly Premature) Exploit (?) Warning. > > While I realize that this issue may not yet be "ripe", as I the folks involved > (myself and at least three other sites) have not yet firmly established just > *exactly* what is going on here, but... > > There appears to be some kind of exploit making the rounds that utilizes > TCP packets from port "0" (yes, that's *zero*) to the IMAP port, 143. These > packet traces are right now available only as historical log entries that are > *loosely* associated with 2 successful "root" attacks against IMAP enabled > servers, an unsuccessful attack against another (ours), and the possible > compromise of another. > > In short, I dont know a lot, other than in the course of reviewing my > daily logs, I saw a couple of freaky packets (above) addressed to my > nameservers (both of them). They were rejected and logged at the routers, > however, as a common courtesy, we notified the admin of the "sending" > machine that they had a sick box. As it developed, this person had > recieved other emails regarding this from other admins, 2 of which had > suffered the successful attacks mentioned above - all of us seeing the > originating machine as the same box. It is unknown if the source address was spoofed. > > Basically, I think this is just a "common-cause" warning to look out > for weird packets of this nature, and to take notice if you see any. > > Rather than keep a running blow-by-blow going on the various lists, > please address anything regarding this to me directly... > > Thanks > J.A. Terranson > [email protected] > > >
|