Re: [linux-security] Lightning fast attacks?

[wietse porcupine org (Wietse Venema)]

Eric Wampner:
> May  8 00:35:15 osg-gw imapd[4307]: warning: can't get client address:
> Connection reset by peer
> May  8 00:35:15 osg-gw imapd[4307]: refused connect from unknown
> 
> My question, is the attacker learning anything? Are they able to "time" their
> connection requests so they know if you are trying to track them?

This was most likely part of a network sweep to find machines
running an IMAP service.

The attacker found out that your machine is running something on
the port normally used by de IMAP server, and disconnected even
before your server had a chance to respond.

It is possible that someone will come back to exploit some
vulnerability.  But that person won't be able to do much with the
wrapped IMAP server, because they would first have to find out what
addresses are authorized.

	Wietse

[mod: I approved Eric's message because I wanted you all to have a
look at these "logs" and tell me and Eric (and learn for yourselves)
what probably happened.  Wietse is confirming my reading of the log:
tcpd is trying to find out who it is talking to, but the remote end
already has abandoned the connection. The "legit" explanation is that
the a client imap program is crashing the microsecond it has opened
the connection to your server. Wether or not it is an approved client
cannot be determined: tcpd gets an error return on the getpeername()
call, whose result would then be used to determine the authorization
of the connecting client. Unless someone can motivate why I'm wrong
here, please: discussion closed....  -- REW]