|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: UDP Port 137 - Now TCP 143
Daniel J. Gregor Jr. (dj
gregor.com)
Sat, 06 Feb 1999 23:43:09 -0500
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Joseph S D Yao: "Re: Response to door knocking"
- Previous message: JohnLNickaol.com: "Re: Response to door knocking"
- Next in thread: Michael T. Shinn: "Re: UDP Port 137 - Now TCP 143"
"Burgess, John (EDS)" wrote:
> Does anyone know why
> would someone/something be hitting TCP port 143?
TCP port 143 is IMAP4--a protocol for accessing E-mail spools
(similar to POP3, but much more featureful). Older versions of the
UW IMAP server had multiple remote root exploits, and exploit code
exists for multiple architectures (check rootshell.com). It's very
common for crackers to scan a large range of addresses looking for
IMAP servers that they can hack.
> This was at 2:30 AM
> from bay-030-b5.codetel.net.do (206.105.238.30 - Dominican Republic - a
> router?)
I did a quick traceroute and there was a large jump in round trip time
between the above host and the hop before it, which is a strong indicator
that it's a dial-up. Also the naming scheme is another clue--the hostname
contains the last octet of the IP address. This is common for dynamically
assigned IP addresses hanging off of access servers.
13 rabma203e001.codetel.net.do (206.105.238.2) 267.29 ms 296.916 ms 314.288 ms
14 bay-030-b5.codetel.net.do (206.105.238.30) 658.171 ms 407.217 ms 1763.867
- djg
- Next message: Joseph S D Yao: "Re: Response to door knocking"
- Previous message: JohnLNickaol.com: "Re: Response to door knocking"
- Next in thread: Michael T. Shinn: "Re: UDP Port 137 - Now TCP 143"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:08 CDT