Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Attack/DoS

From: tstroup () FNSI NET (Todd R. Stroup)
Date: Wed, 3 Jun 1998 17:52:52 -0400

Don't know if it is just me.  But over the last 10 hours we have been
seeing attacks on port 0 from port 0 (both tcp and udp) on several clients
networks.  I have also seen the same attack on port udp 53(DNS).

Anyone have any information on this?


Todd R. Stroup
Fiber Network Solutions, Inc.



---------- Forwarded message ----------
Date: Mon, 1 Jun 1998 21:58:17 -0500
From: "J.A. Terranson" <sysadmin () MFN ORG>
To: BUGTRAQ () NETSPACE ORG
Subject: (Admittedly Premature) Exploit (?) Warning.

While I realize that this issue may not yet be "ripe", as I the folks involved
(myself and at least three other sites) have not yet firmly established just
*exactly* what is going on here, but...

There appears to be some kind of exploit making the rounds that utilizes
TCP packets from port "0" (yes, that's *zero*) to the IMAP port, 143.  These
packet traces are right now available only as historical log entries that are
*loosely* associated with 2 successful "root" attacks against IMAP enabled
servers, an unsuccessful attack against another (ours), and the possible
compromise of another.

        In short, I dont know a lot, other than in the course of reviewing my
daily logs, I saw a couple of freaky packets (above) addressed to my
nameservers (both of them).  They were rejected and logged at the routers,
however, as a common courtesy, we notified the admin of the "sending"
machine that they had a sick box.  As it developed, this person had
recieved other emails regarding this from other admins, 2 of which had
suffered the successful attacks mentioned above - all of us seeing the
originating machine as the same box.  It is unknown if the source address was spoofed.

        Basically, I think this is just a "common-cause" warning to look out
for weird packets of this nature, and to take notice if you see any.

        Rather than keep a running blow-by-blow going on the various lists,
please address anything regarding this to me directly...

Thanks
J.A. Terranson
sysadmin () mfn org
Previous By Date Next
Previous By Thread Next

Current thread: