[lug] outgoing port 220 exploit?
D. Stimits
stimits at comcast.net
Mon Jan 19 02:52:41 MST 2004
D. Stimits wrote:
> I currently have no use of imap, and routinely block not only incoming
> ports that I do not use, but also outgoing ports. It may be that nothing
> is wrong here, but I need to track which app is trying to send an
> outgoing tcp connect to port 220 on all kinds of machines. Chkrootkit
> says things are fine, no mysterious processes show up, I keep things
> updated, so on. But it bugs me to not be able to see the ipchains output
> tell me exactly what app it is that is that is trying to go to imap. Any
> suggestions? I can't seem to find any published info on any exploit that
> would cause an outbound port 220 attempt (internal port is always 6129).
> I have been unable to find any input chain hits, only output chain.
>
> D. Stimits, stimits AT comcast DOT net
>
Ok I found out a pattern people might find interesting. More than one
KRUD machine (so far KRUD 7.3 and 8.0) are both doing this. One after
the other, as one tries an outbound port 220 from local port 6129, the
other will also try the SAME outbound IP. So someone is doing something
like a port scan that is triggering the port 220 relay attempt on
separate machines. I am beginning to think the inbound trigger is some
sort of broadcast or non-tcp trigger. Not sure yet.
D. Stimits, stimits AT comcast DOT net
More information about the LUG
mailing list