pop3d exploit

Mirosław Jaworski mjaw at ikp.pl
Tue Jan 30 14:47:42 EST 2007


On Tue, 2007-01-30 at 11:51 -0600, Vernon A. Fort wrote:
> I think I just saw an attempt to exploit my pop3d service.  A number of 
> badlogin attempts followed by:
> 
> Running cyrus-iampd 2.2.12-r4 on gentoo amd64 dual core.  I've never 
> seen this problem prior to today.  Is there any know workaround?

First i would follow "Too many open files" warning, ie. check the limits
and inspected whether its possible that server usage lead to hitting
the limit.

As every system grows you get closer to the limits every day. Why not
today? :)

I would analyze logs for any abnormal ( compared to your usual day )
activity ( looking for spikes ). Maybe it's ( number of ) misconfigured
client(s) or maybe it was a regular DoS attack. 

I would surely check whether "bad option name: p<AE><F0>^N<FF>\177[...]"
may be the result of reading "config file" out of the broken filesystem.

M.

-- 
Mirosław "Psyborg" Jaworski
GCS/IT d- s+:+ a C++$ UBI++++$ P+++$ L- E--- W++(+++)$ N++ o+ K- w-- O-
M- V- PS+ PE++ Y+ PGP t 5? X+ R++ !tv b++(+++) DI++ D+ G e* h++ r+++ y?
                          "Earth is full. Go home."



More information about the Info-cyrus mailing list