I am seeing a steady trickle of scans for port 110 against my honeypot. Initially, I believed that the goal was brute forcing e-mail passwords. But instead, when setting up a quick netcat listener, I am seeing binary content without any obvious purpose. Various POP3 daemons have had vulnerabilities in the past, so maybe there is a way this is exploited? Or someone looking for backdoors that happen to listen on port 110 to disguise themselves. Can anybody help out with any ideas what this is about? Here is a typical payload:
UPDATE ok.. this was a bit too easy. After a bit of staring at the payload, it looked familiar. Turns out that this is an SSL Client hello (the 0x16 0x03 0x01 preamble gave it away). So now back to giving the attacker an SSL-enabled server to play with. --- |
Johannes 4068 Posts ISC Handler Feb 6th 2017 |
Thread locked Subscribe |
Feb 6th 2017 4 years ago |
It's the 'Russian Hackers'...
|
Anonymous |
Quote |
Feb 6th 2017 4 years ago |
I may have seen one of these this morning... Interesting that the source IP was McGill College. Is there a intent we should be weary of?
|
Anonymous |
Quote |
Feb 6th 2017 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!