Jeffrey W. Mericle wrote:
> I occasionally receive qpopper error messages that look like the
> following. I believe that this is a hack attempt on my system. Is this
> an hack attempt? Was it successful? What exploit is this hacker using
> and is there anything I can do to close this hole?
>
> Mar 13 07:14:19 Morehead popper[26337]: EOF from at 209.217.53.174
> (209.217.53.174): [0] 29 (Illegal seek); 0 (Success)
> Mar 13 07:14:19 Morehead popper[26337]: (null) at 209.217.53.174
> (209.217.53.174): -ERR POP EOF or I/O Error: 29 (Illegal
> seek); 0 (Success)
A very quick glance through the source code suggests that the above
messages are generated *only* from the pop_exit() in popper.c, (lines
556 - 589 in qpopper-3.0.2, but probably around the same area in newer
versions), which suggests to me that whether or not it's an attempt at
unauthorized access, the pop daemon is indicating that it's terminating
the connection for this error, (read: not successful).
I would check if any of my regular users ever accessed the POP server
from the IP address in question, and if so I'd verify if the errors
aren't related to their connections. In any case, if no legitimate
users ever come from the offending IP address, (check for the block
belonging to the owner of the single address, of course), you might as
well cut them off entirely with tcp_wrappers. (that's probably
something you want to do for unresolvable IP addresses anyway.)
I hope that helps.
--
----------------------------------------------------------------------
Sylvain Robitaille [EMAIL PROTECTED]
Systems analyst Concordia University
Instructional & Information Technology Montreal, Quebec, Canada
----------------------------------------------------------------------
