Good Morning to all,
I have received some strange entries in my secure log from snort that is
a concern to me.
I have been receiving an IMAP overflow attacks on my mail server but the
source IP in on my private network.
The log entries are below
Jan 19 09:22:54 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
92.168.1.2:49289 -> 192.168.1.1:143
Jan 19 11:52:55 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.2:49289 -> 192.168.1.1:143
Jan 19 13:02:55 gateway last message repeated 3 times
Jan 19 13:12:55 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.2:49289 -> 192.168.1.1:143
Jan 19 14:12:55 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.2:49289 -> 192.168.1.1:143
Jan 19 19:14:52 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.2:49289 -> 192.168.1.1:143
Jan 19 21:32:56 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.2:49289 -> 192.168.1.1:143
Jan 19 21:42:56 gateway last message repeated 3 times
Jan 19 23:12:56 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.2:49289 -> 192.168.1.1:143
Jan 20 00:52:56 gateway last message repeated 3 times
Jan 20 07:23:20 gateway snort: [117:1:1] (spp_portscan2) Portscan
detected from 192.168.1.2: 6 targets 9 ports in 76 seconds {UDP}
192.168.1.2:137 -> 192.168.1.255:137
Jan 20 11:02:59 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.2:49289 -> 192.168.1.1:143
Jan 20 11:22:59 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.2:49289 -> 192.168.1.1:143
Jan 20 11:22:59 gateway last message repeated 2 times
According to SnortSnaff these attacks and portscans started Jan 18 02:02
to Jan 21 15:53 Output Below
Jan 18 02:02:50 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 18 08:22:51 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 18 09:12:51 gateway snort: [117:1:1] (spp_portscan2) Portscan
detected from 192.168.1.2: 6 targets 7 ports in 58 seconds {TCP}
203.16.214.248:110
01/18-09:12:51.206034 TCP 203.16.214.248:110 tgts: 6 ports: 7 flags:
******S* event_id: 0
01/18-09:12:51.206034 TCP 203.16.214.248:110 tgts: 6 ports: 7 flags:
******S* event_id: 0
Jan 18 14:22:51 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 18 14:42:51 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 18 18:52:52 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 18 20:32:52 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 18 22:12:52 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 18 22:22:52 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 19 01:22:52 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 19 09:22:54 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 19 11:52:55 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 19 13:12:55 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 19 14:12:55 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 19 19:14:52 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 19 21:32:56 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 19 23:12:56 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 20 07:23:20 gateway snort: [117:1:1] (spp_portscan2) Portscan
detected from 192.168.1.2: 6 targets 9 ports in 76 seconds {UDP}
192.168.1.255:137
01/20-07:23:20.564146 UDP 192.168.1.255:137 tgts: 6 ports: 9 event_id: 0
Jan 20 11:02:59 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 20 11:22:59 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 20 17:53:41 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 20 19:52:59 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 20 20:13:00 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Jan 21 15:11:16 gateway snort: [117:1:1] (spp_portscan2) Portscan
detected from 192.168.1.2: 6 targets 7 ports in 59 seconds {UDP}
192.168.1.255:137
01/21-15:11:16.735475 UDP 192.168.1.255:137 tgts: 6 ports: 7 event_id: 0
01/21-15:11:16.735475 UDP 192.168.1.255:137 tgts: 6 ports: 7 event_id: 0
01/21-15:11:16.735475 UDP 192.168.1.255:137 tgts: 6 ports: 7 event_id: 0
Jan 21 15:53:02 gateway snort: [1:1845:4] EXPERIMENTAL IMAP list
overflow attempt [Classification: Misc Attack] [Priority: 2]: {TCP}
192.168.1.1:143
Now an explanation of my network.
My Gateway is ip 192.168.1.1 and is a Clarkconnect 1.2
mailserver(IMAP)/gateway/firewall permanently connected via adsl. All
updates applied.
RedHat Linux 8.0 workstation 192.168.1.2 security updates updated
weekly.
Two other HP 9000 D Class Linux Servers mostly acting as Samba servers
to 3 Win Boxes and the RedHat box.
A HP 9000 E Class Server running HP-UX 11.00
3 Win Boxes
The RedHat box, one D Class and the Gateway run continuously. All other
boxes are power up and down as required.
The Gateway runs Apache, Postfix, IMAP, Squid setup as transparent
cache, SNORT and SSH.
I cannot see anything suspicious on the RedHat box (the attack
originator) although I am not running Tripwire and as I said I do keep
it up to date.
Do I assume its Hacked and Reinstall RedHat 8.0 or is the IP being
spoofed to make it look like it is coming from inside my network.
Any suggestions or comments appreciated.
Steve Grady
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
