From owner-freebsd-security  Mon Jun  1 15:45:31 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA28330
          for freebsd-security-outgoing; Mon, 1 Jun 1998 15:45:31 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from dc1.mfn.org (dc1.mfn.org [204.238.179.1])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id PAA28180
          for <freebsd-security@freebsd.org>; Mon, 1 Jun 1998 15:44:55 -0700 (PDT)
          (envelope-from sysadmin@mfn.org)
Received: from w3svcs.mfn.org (unverified [204.238.179.11]) by mail.mfn.org
 (EMWAC SMTPRS 0.83) with SMTP id <B0000017937@mail.mfn.org>;
 Mon, 01 Jun 1998 17:46:38 -0500
Received: by w3svcs.mfn.org with Microsoft Mail
	id <01BD8D84.F10618B0@w3svcs.mfn.org>; Mon, 1 Jun 1998 17:44:35 -0500
Message-ID: <01BD8D84.F10618B0@w3svcs.mfn.org>
From: "J.A. Terranson" <sysadmin@mfn.org>
To: "'FreeBSD Security'" <freebsd-security@FreeBSD.ORG>,
        "'Joe Hagen'"
	 <kendall@primary.net>,
        "'Secure-NT'" <Secure-NT@wwa.com>,
        "'NT Security Listserv'" <ntsecurity@iss.net>,
        "'SpaceBar'" <johnpjensen@hotmail.com>,
        "'SpaceBar #2'" <jensen18@cps.cmich.edu>
To: "'Tristy Granger'" <tgranger@McMaster.CA>
Cc: "'rmras@primary.gtu.com'" <rmras@primary.gtu.com>
Subject: (Admittedly Premature) Exploit (?) Warning.
Date: Mon, 1 Jun 1998 17:44:33 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

While I realize that this issue may not yet be "ripe", as I the folks involved
(myself and at least three other sites) have not yet firmly established just
*exactly* what is going on here, but...

There appears to be some kind of exploit making the rounds that utilizes
TCP packets from port "0" (yes, that's *zero*) to the IMAP port, 143.  These
packet traces are right now available only as historical log entries that are
*loosely* associated with 2 successful "root" attacks against IMAP enabled
servers, an unsuccessful attack against another (ours), and the possible
compromise of another.

	In short, I dont know a lot, other than in the course of reviewing my
daily logs, I saw a couple of freaky packets (above) addressed to my
nameservers (both of them).  They were rejected and logged at the routers,
however, as a common courtesy, we notified the admin of the "sending"
machine that they had a sick box.  As it developed, this person had
recieved other emails regarding this from other admins, 2 of which had
suffered the successful attacks mentioned above - all of us seeing the
originating machine as the same box.  It is unknown if the source address was spoofed.

	Basically, I think this is just a "common-cause" warning to look out
for weird packets of this nature, and to take notice if you see any.

	Rather than keep a running blow-by-blow going on the various lists,
please address anything regarding this to me directly...

Thanks
J.A. Terranson
sysadmin@mfn.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message