Have we been cracked?

1999-06-21 Thread Dan DeMond 
Hello all,
I'm think that our system may have been cracked.  I think they got
in through imapd, because of what was in the logfile(see attachment).

My question is, did they really get in through imapd?  On
www.cert.org there was an advisory for imapd, but that was last year this
time.  Cert said the affected versions were <=10.234, while our version
reports 11.241.  Are newer versions still vulnerable?

Thanks in Advance,
Dan DeMond
daemon.log.0:Jun 19 07:31:08 XX imapd[16504]: connect from cinequanon.com
daemon.log.0:Jun 19 07:31:14 XX imapd[16505]: connect from cinequanon.com
daemon.log.0:Jun 19 07:31:14 XX imapd[16506]: connect from cinequanon.com
daemon.log.0:Jun 19 07:31:15 XX imapd[16508]: connect from cinequanon.com
daemon.log.0:Jun 19 07:31:15 XX imapd[16507]: connect from cinequanon.com
daemon.log.0:Jun 19 07:31:15 XX imapd[16509]: connect from cinequanon.com
daemon.log.0:Jun 19 07:31:15 XX imapd[16510]: connect from cinequanon.com
daemon.log.0:Jun 19 07:31:15 XX imapd[16511]: connect from cinequanon.com
daemon.log.0:Jun 19 07:31:15 XX imapd[16513]: connect from cinequanon.com
daemon.log.0:Jun 19 07:31:15 XX imapd[16512]: connect from cinequanon.com
daemon.log.0:Jun 19 07:31:15 XX imapd[16517]: connect from cinequanon.com
daemon.log.0:Jun 19 07:31:15 XX imapd[16516]: connect from cinequanon.com
daemon.log.0:Jun 19 07:31:15 XX imapd[16515]: connect from cinequanon.com
daemon.log.0:Jun 19 07:31:15 XX imapd[16514]: connect from cinequanon.com
daemon.log.0:Jun 19 07:31:15 XX imapd[16518]: connect from cinequanon.com
daemon.log.0:Jun 19 07:46:36 XX imapd[16584]: connect from cinequanon.com
daemon.log.0:Jun 19 07:46:45 XX imapd[16585]: connect from cinequanon.com
daemon.log.0:Jun 19 07:46:45 XX imapd[16586]: connect from cinequanon.com
daemon.log.0:Jun 19 07:46:45 XX imapd[16587]: connect from cinequanon.com
daemon.log.0:Jun 19 07:46:45 XX imapd[16589]: connect from cinequanon.com
daemon.log.0:Jun 19 07:46:45 XX imapd[16588]: connect from cinequanon.com
daemon.log.0:Jun 19 07:46:45 XX imapd[16590]: connect from cinequanon.com
daemon.log.0:Jun 19 07:46:45 XX imapd[16591]: connect from cinequanon.com
daemon.log.0:Jun 19 07:46:45 XX imapd[16593]: connect from cinequanon.com
daemon.log.0:Jun 19 07:46:45 XX imapd[16592]: connect from cinequanon.com
daemon.log.0:Jun 19 07:46:45 XX imapd[16597]: connect from cinequanon.com
daemon.log.0:Jun 19 07:46:45 XX imapd[16596]: connect from cinequanon.com
daemon.log.0:Jun 19 07:46:45 XX imapd[16595]: connect from cinequanon.com
daemon.log.0:Jun 19 07:46:45 XX imapd[16594]: connect from cinequanon.com
daemon.log.0:Jun 19 07:46:45 XX imapd[16598]: connect from cinequanon.com
mail.info.0:Jun 19 07:31:13 XX imapd[16504]: command stream end of file, 
while reading line user=??? host=cinequanon.com [209.151.235.233]
mail.info.0:Jun 19 07:31:25 XX imapd[16505]: command stream end of file, 
while reading line user=??? host=cinequanon.com [209.151.235.233]
mail.info.0:Jun 19 07:31:25 XX imapd[16507]: command stream end of file, 
while reading line user=??? host=cinequanon.com [209.151.235.233]
mail.info.0:Jun 19 07:31:25 XX imapd[16509]: command stream end of file, 
while reading line user=??? host=cinequanon.com [209.151.235.233]
mail.info.0:Jun 19 07:31:25 XX imapd[16506]: command stream end of file, 
while reading line user=??? host=cinequanon.com [209.151.235.233]
mail.info.0:Jun 19 07:31:25 XX imapd[16508]: command stream end of file, 
while reading line user=??? host=cinequanon.com [209.151.235.233]
mail.info.0:Jun 19 07:31:25 XX imapd[16510]: command stream end of file, 
while reading line user=??? host=cinequanon.com [209.151.235.233]
mail.info.0:Jun 19 07:31:25 XX imapd[16511]: command stream end of file, 
while reading line user=??? host=cinequanon.com [209.151.235.233]
mail.info.0:Jun 19 07:31:25 XX imapd[16512]: command stream end of file, 
while reading line user=??? host=cinequanon.com [209.151.235.233]
mail.info.0:Jun 19 07:31:25 XX imapd[16514]: command stream end of file, 
while reading line user=??? host=cinequanon.com [209.151.235.233]
mail.info.0:Jun 19 07:31:25 XX imapd[16513]: command stream end of file, 
while reading line user=??? host=cinequanon.com [209.151.235.233]
mail.info.0:Jun 19 07:31:25 XX imapd[16516]: command stream end of file, 
while reading line user=??? host=cinequanon.com [209.151.235.233]
mail.info.0:Jun 19 07:31:25 XX imapd[16515]: command stream end of file, 
while reading line user=??? host=cinequanon.com [209.151.235.233]
mail.info.0:Jun 19 07:31:25 XX imapd[16518]: command stream end of file, 
while reading line user=??? host=cinequanon.com [209.151.235.233]
mail.info.0:Jun 19 07:31:25 XX imapd[16517]: command stream end of file, 
while reading line user=??? host=cinequanon.com [209.151.235.233]
mail.info.0:Jun 19 07

Re: Have we been cracked?

1999-06-21 Thread Marc Mongeon 
It looks like somebody ran some sort of port scanner against your
system, looking for a vulnerability.  From the attached logs, it wasn't
obvious that the attack was successful.  Did you find evidence on
the system that it had been cracked?  It's possible that imapd with-
stood the attack.  I'm no security expert, and only responded with
my 2 cents worth to keep the topic from dying.  Any input from more
knowledgeable people out there?

Marc


--
Marc Mongeon <[EMAIL PROTECTED]>
Unix Specialist
Ban-Koe Systems
9100 W Bloomington Fwy
Bloomington, MN 55431-2200
(612)888-0123, x417 | FAX: (612)888-3344
--
"It's such a fine line between clever and stupid."
   -- David St. Hubbins and Nigel Tufnel of "Spinal Tap"


>>> Dan DeMond <[EMAIL PROTECTED]> 06/21 2:44 PM >>>
Hello all,
I'm think that our system may have been cracked.  I think they got
in through imapd, because of what was in the logfile(see attachment).

My question is, did they really get in through imapd?  On
www.cert.org there was an advisory for imapd, but that was last year this
time.  Cert said the affected versions were <=10.234, while our version
reports 11.241.  Are newer versions still vulnerable?

Thanks in Advance,
Dan DeMond

Re: Have we been cracked?

1999-06-21 Thread Rahsheen Porter 
If you're really paranoid..you should format and start over. Otherwise, start
running portsentry and logcheck (search freshmeat). Portsentry will block
any host that tries to scan you and logcheck will email you weird log
entries. Portsentry has blocked at least 10 hosts since I started running
itvery useful.

On Mon, Jun 21, 1999 at 04:28:54PM -0500, Marc Mongeon wrote:
> It looks like somebody ran some sort of port scanner against your
> system, looking for a vulnerability.  From the attached logs, it wasn't
> obvious that the attack was successful.  Did you find evidence on
> the system that it had been cracked?  It's possible that imapd with-
> stood the attack.  I'm no security expert, and only responded with
> my 2 cents worth to keep the topic from dying.  Any input from more
> knowledgeable people out there?
> 
> Marc
> 
> 
> --
> Marc Mongeon <[EMAIL PROTECTED]>
> Unix Specialist
> Ban-Koe Systems
> 9100 W Bloomington Fwy
> Bloomington, MN 55431-2200
> (612)888-0123, x417 | FAX: (612)888-3344
> --
> "It's such a fine line between clever and stupid."
>-- David St. Hubbins and Nigel Tufnel of "Spinal Tap"
> 
> 
> >>> Dan DeMond <[EMAIL PROTECTED]> 06/21 2:44 PM >>>
> Hello all,
>   I'm think that our system may have been cracked.  I think they got
> in through imapd, because of what was in the logfile(see attachment).
>   
>   My question is, did they really get in through imapd?  On
> www.cert.org there was an advisory for imapd, but that was last year this
> time.  Cert said the affected versions were <=10.234, while our version
> reports 11.241.  Are newer versions still vulnerable?
> 
>   Thanks in Advance,
>   Dan DeMond
> 
> 
> -- 
> Unsubscribe?  mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
> 

-- 
Rahsheen Porter 
<[EMAIL PROTECTED]>

Re: Have we been cracked?

1999-06-21 Thread Pollywog 

On 21-Jun-99 Rahsheen Porter wrote:
> If you're really paranoid..you should format and start over. Otherwise,
> start
> running portsentry and logcheck (search freshmeat). Portsentry will block
> any host that tries to scan you and logcheck will email you weird log
> entries. Portsentry has blocked at least 10 hosts since I started running
> itvery useful.

Yes, I agree.  I use those two (logcheck and portsentry) together.  Portsentry
has stopped several attacks for me.

--
Andrew

Re: Have we been cracked?

1999-06-22 Thread Brad 
On Mon, 21 Jun 1999, Rahsheen Porter wrote:

> Portsentry will block any host that tries to scan you

Does it detect spoofed packets? For example, if someone detected you're
using portsentry (because their scan didn't work?), could they spoof
packets to make it look like your gateway machine was scanning you, and
thereby make you cut yourself off from the 'net?

Re: Have we been cracked?

1999-06-22 Thread Rahsheen Porter 
On Mon, Jun 21, 1999 at 11:50:51PM -0500, Brad wrote:
> On Mon, 21 Jun 1999, Rahsheen Porter wrote:
> 
> > Portsentry will block any host that tries to scan you
> 
> Does it detect spoofed packets? For example, if someone detected you're
> using portsentry (because their scan didn't work?), could they spoof
> packets to make it look like your gateway machine was scanning you, and
> thereby make you cut yourself off from the 'net?
> 

No, cuz you can tell it hosts that it should never block. 

-- 
Rahsheen Porter 
<[EMAIL PROTECTED]>