pop3d exploit
Vernon A. Fort
vfort at provident-solutions.com
Tue Jan 30 16:11:01 EST 2007
Mirosław Jaworski wrote:
> On Tue, 2007-01-30 at 11:51 -0600, Vernon A. Fort wrote:
>
>> I think I just saw an attempt to exploit my pop3d service. A number of
>> badlogin attempts followed by:
>>
>> Running cyrus-iampd 2.2.12-r4 on gentoo amd64 dual core. I've never
>> seen this problem prior to today. Is there any know workaround?
>>
>
> First i would follow "Too many open files" warning, ie. check the limits
> and inspected whether its possible that server usage lead to hitting
> the limit.
>
> As every system grows you get closer to the limits every day. Why not
> today? :)
>
> I would analyze logs for any abnormal ( compared to your usual day )
> activity ( looking for spikes ). Maybe it's ( number of ) misconfigured
> client(s) or maybe it was a regular DoS attack.
>
> I would surely check whether "bad option name: p<AE><F0>^N<FF>\177[...]"
> may be the result of reading "config file" out of the broken filesystem.
>
>
The connections to the pop3d were from ONE specific host which had 525
connections within 20 minutes. Around 20 minutes after the first
badlogin from this host is when the "Too many open files" started
appearing. It appears to be a DoS attach which just overwhelmed the
server. I added a maxchild=30 to the cyrus.conf pop2 SERVICES. The
"bad option name" did come after the "to many files" and socket errors -
this very well might have been the result of a failing system. There
are only 55 user accounts and under normal loads, no more than 10-15 are
popping at one given time.
I've seen exploits with the pop3 service with the sub-folder option but
we do not have that enabled nor does the option appear to be valid.
I guess by question is how to configure a services with maxchild limits
- hopefully what I have already added will prevent this.
Vernon
More information about the Info-cyrus
mailing list