Firewalls: POP exploits

Firewalls
(July 1996)

Indexed By Thread: [Previous] [Next]

Subject:	POP exploits
From:	Rob Sansom <sansom @ connectix . com>
Date:	Fri, 12 Jul 1996 08:41:35 -0700
To:	<firewalls @ greatcircle . com>

I occasionally get a burst of TCP packets to port 110 on our web server, 
which does not run a pop 3 server or any such thing.  Here's a good 
example:

Jul 11 20:23:20 gate247159.connectix.com 8774: %SEC-6-IPACCESSLOGP: list 
120 denied tcp 206.129.83.142(1558) -> 204.247.159.244(110), 1 packet
Jul 11 20:29:09 gate247159.connectix.com 8775: %SEC-6-IPACCESSLOGP: list 
120 denied tcp 206.129.83.142(1558) -> 204.247.159.244(110), 117 packets
Jul 11 20:33:29 gate247159.connectix.com 8776: %SEC-6-IPACCESSLOGP: list 
120 denied tcp 206.129.83.142(1766) -> 204.247.159.244(110), 1 packet
Jul 11 20:34:09 gate247159.connectix.com 8777: %SEC-6-IPACCESSLOGP: list 
120 denied tcp 206.129.83.142(1558) -> 204.247.159.244(110), 89 packets
Jul 11 20:39:09 gate247159.connectix.com 8778: %SEC-6-IPACCESSLOGP: list 
120 denied tcp 206.129.83.142(1766) -> 204.247.159.244(110), 136 packets
Jul 11 20:43:35 gate247159.connectix.com 8779: %SEC-6-IPACCESSLOGP: list 
120 denied tcp 206.129.83.142(1337) -> 204.247.159.244(110), 1 packet
Jul 11 20:45:09 gate247159.connectix.com 8780: %SEC-6-IPACCESSLOGP: list 
120 denied tcp 206.129.83.142(1766) -> 204.247.159.244(110), 120 packets
Jul 11 20:49:09 gate247159.connectix.com 8781: %SEC-6-IPACCESSLOGP: list 
120 denied tcp 206.129.83.142(1337) -> 204.247.159.244(110), 271 packets
Jul 11 20:53:34 gate247159.connectix.com 8782: %SEC-6-IPACCESSLOGP: list 
120 denied tcp 206.129.83.142(1679) -> 204.247.159.244(110), 1 packet
Jul 11 20:54:09 gate247159.connectix.com 8783: %SEC-6-IPACCESSLOGP: list 
120 denied tcp 206.129.83.142(1337) -> 204.247.159.244(110), 195 packets
Jul 11 20:56:08 gate247159.connectix.com 8784: %SEC-6-IPACCESSLOGP: list 
120

I know it's not an employee trying to collect their mail, since all of 
these connection attempts have come from places like Malaysia, Washington 
State (above - ixa.net), and other such places where they have no 
business being.  Also, they know that our POP server is not accessable 
from outside.  This leads me to believe that the above log entries are 
attacks, and I'm puzzled as to what they may be trying to attempt.  The 
web server is our most visable machine, so I guess thats why they are 
targeting it.  Any Ideas??

Thanks in advance,

Rob Sansom
Network Admin.
Connectix Corp
(415) 638-7398
sansom @
 connectix .
 com

Follow-Ups:

Re: POP exploits
From: Scanner <scanner @ webspan . net>

Indexed By Date	Previous:	Re: Freeware From: "Stefan Berg" <stefan @ sic . se>
Indexed By Date	Next:	Re: CISCO network level encryption & key lengths From: peter @ baileynm . com (Peter da Silva)
Indexed By Thread	Previous:	binary sniffer From: "Alex F" <alexf @ iss . net>
Indexed By Thread	Next:	Re: POP exploits From: Scanner <scanner @ webspan . net>