Eduardo Soriano enscribed thusly:
> Hi guys,
> Since a couple of days /var/log/secure of our firewall is reporting some starnge
> messages like:
[...]
> Is someone having an idea about what are they trying to do on the other side and
> how can I obtain
> more detailed information ?
It looks like you are being port scanned for imap. It also looks
like you have imap enabled in your inetd.conf file but the server is not
installed. When tcpwrappers goes to exec it, it gets a "file not found"
error.
A number of early versions of imap had serious security holes. A
number of distributions use to install imap by default, and most people
didn't even know they were running imap, much less a root hack vulnerable
version of imap (so they never thought to update something they never thought
they were running in the first place). That's why the script kiddies are
now doing massive parallel scans on the imap port. They're looking for
systems to break into.
As it so happens, their scanning is actually somewhat useful. Since
they scan for imap well in advance of anything else, PortSentry on my
firewall detects the attempts and installs a blocking rule before they
attempt anything else. If they scan any ports on any addresses within
my network that I haven't explicitly enabled, they get shut down and can't
get to even the legitimate services (I only trigger on fully connected
tcp events to avoid spoofing attacks). The imap scan just raises a flag
to my firewall that this is an individual who is up to no good.
I lock out a couple of snoops a week on average. Almost all of
them based on the imap port. :-)
> Thanks
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (770) 331-2437 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
