imap and popper

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Andrea Arcangeli: "Re: delayed acks after fast recover"
• Previous message: Alan Olsen: "Re: [WAY OFFTOPIC] kerneli blowfish/twofish compromised?"

Is there a bug in either popper or imapd that lets someone get root
access? Someone got into my linux box and I suspect they did by
overflowing? popper and/or imapd. There was no damage done that I have
noticed so maybe I was lucky. I have all my log files etc, but will
keep the post short unless someone wants all the details.

They didn't do any harm from what I can see but I disabled those ports
for now and changed all passwords, got rid of the non-welcome accounts
etc.

Here is a netstat -na the offender is 38.29.66.182 connecting to
port 110.

Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 35 0 206.47.27.250:110 38.29.66.182:20811 CLOSE_WAIT
tcp 0 2 206.47.27.250:8301 38.29.66.182:113 SYN_SENT

Here is my /var/log/messages file (just took some clips)

Nov 28 08:00:00 cpu1769 tcpd[8609]: connect from 38.29.66.182
Nov 28 08:00:31 cpu1769 last message repeated 111 times
Nov 28 08:01:32 cpu1769 last message repeated 207 times
Nov 28 08:02:33 cpu1769 last message repeated 218 times

Now, here is /var/log/mail

Nov 28 07:11:57 cpu1769 popper[8574]: @ip182.tucson6.az.pub-ip.psi.net: -ERR POP EOF received
Nov 28 07:13:52 cpu1769 imapd[8575]: command stream end of file, while reading line user=??? host=ip182.tucson6.az.pub-ip.psi.net

Nov 28 07:29:26 cpu1769 popper[8585]: @ip182.tucson6.az.pub-ip.psi.net: -ERR POP EOF received
Nov 28 07:29:29 cpu1769 popper[8586]: [truncated] @ip182.tucson6.az.pub-ip.psi.net: -ERR Unknown command: "^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P

these messages repeat and repeat...

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Andrea Arcangeli: "Re: delayed acks after fast recover"
• Previous message: Alan Olsen: "Re: [WAY OFFTOPIC] kerneli blowfish/twofish compromised?"