From owner-freebsd-security  Mon Jun 28  8:28:47 1999
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.iserver.com (gatekeeper.iserver.com [192.41.0.2])
	by hub.freebsd.org (Postfix) with ESMTP id 18F0815250
	for <security@FreeBSD.ORG>; Mon, 28 Jun 1999 08:27:29 -0700 (PDT)
	(envelope-from hart@iserver.com)
Received: by gatekeeper.iserver.com; Mon, 28 Jun 1999 09:27:29 -0600 (MDT)
Received: from unknown(192.168.1.109) by gatekeeper.iserver.com via smap (V3.1.1)
	id xma010452; Mon, 28 Jun 99 09:27:03 -0600
Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.2) id JAA14873; Mon, 28 Jun 1999 09:24:58 -0600 (MDT)
Date: Mon, 28 Jun 1999 09:24:58 -0600 (MDT)
From: Paul Hart <hart@iserver.com>
X-Sender: hart@anchovy.orem.iserver.com
To: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Cc: Keith Anderson <keith@apcs.com.au>, security@FreeBSD.ORG
Subject: Re: Whats going on please
In-Reply-To: <xzp6748im6j.fsf@flood.ping.uio.no>
Message-ID: <Pine.BSF.3.96.990628091852.14857B-100000@anchovy.orem.iserver.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On 28 Jun 1999, Dag-Erling Smorgrav wrote:

> > Jun 27 17:06:59 work popper[1550]: @compl-r4.iscs.nus.sg: -ERR POP EOF received
> > Jun 27 17:07:00 work popper[1552]: @compl-r4.iscs.nus.sg: -ERR POP EOF received
> > Jun 27 17:07:03 work popper[1553]: @compl-r4.iscs.nus.sg: -ERR POP EOF received
> 
> He tried to exploit your POP server. Doesn't seem like he succeeded,
> but I can't tell for sure.

That's not necessarily an exploit attempt; the message only means that the
socket connection to popper was closed before the daemon expected it to
close.  This is also a symptom of a TCP port scan.  I think that the
original poster mentioned that he is running Qualcomm popper 2.53 which
should be fixed with regards to the overflow in pop_msg() from last year
(which is probably the hole everyone is thinking of), but that doesn't
mean that other undiscovered holes aren't lurking in the code.

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message