[lug] outgoing port 220 exploit?

D. Stimits stimits at comcast.net
Mon Jan 19 02:52:41 MST 2004


D. Stimits wrote:

> I currently have no use of imap, and routinely block not only incoming
> ports that I do not use, but also outgoing ports. It may be that nothing
> is wrong here, but I need to track which app is trying to send an
> outgoing tcp connect to port 220 on all kinds of machines. Chkrootkit
> says things are fine, no mysterious processes show up, I keep things
> updated, so on. But it bugs me to not be able to see the ipchains output
> tell me exactly what app it is that is that is trying to go to imap. Any
> suggestions? I can't seem to find any published info on any exploit that
> would cause an outbound port 220 attempt (internal port is always 6129).
> I have been unable to find any input chain hits, only output chain.
>
> D. Stimits, stimits AT comcast DOT net
>

Ok I found out a pattern people might find interesting. More than one 
KRUD machine (so far KRUD 7.3 and 8.0) are both doing this. One after 
the other, as one tries an outbound port 220 from local port 6129, the 
other will also try the SAME outbound IP. So someone is doing something 
like a port scan that is triggering the port 220 relay attempt on 
separate machines. I am beginning to think the inbound trigger is some 
sort of broadcast or non-tcp trigger. Not sure yet.

D. Stimits, stimits AT comcast DOT net




More information about the LUG mailing list