New IMAP scanning tool?

Been getting quite a bit of this in the 'secure' log within the last few days.

Nov 28 07:29:22 lydgate xinetd[7641]: START: imap pid=24240 from=217.35.91.223
Nov 28 07:29:22 lydgate xinetd[7641]: EXIT: imap pid=24240 duration=0(sec)
Nov 28 15:48:45 lydgate xinetd[7641]: START: imap pid=24599 from=81.174.141.187
Nov 28 15:48:45 lydgate xinetd[7641]: EXIT: imap pid=24599 duration=0(sec)
Nov 29 01:42:18 lydgate xinetd[7641]: START: imap pid=25123 from=212.19.61.210
Nov 29 01:42:21 lydgate xinetd[7641]: EXIT: imap pid=25123 duration=3(sec)

I've found http://www.cotse.com/sw/portscan/imapd_scan.sh but AFAIK this an old thing

Is there a new imap scanning tool doing the rounds?

Steve

Two new IMAP vulns are responsible for the additional traffic.

Here

There must be a new tool around, just for 143 scanning since any general scans would have tripped countermeasures.

Anyone seen any example scripts/code.

Steve

There was a Remote Mercury32 IMAP *working* exploit posted to the FD, however, this was only posted on the 30th....

http://lists.netsys.com/pipermail/fu...er/029629.html

The following was posted on the Internet Storm Center yesterday:

Quote:

---

Scans against port 143 (imap) are up considerably today: http://isc.sans.org/port_details.php?port=143
This coincides with the release of an exploit against imap server in Mercury Mail 4.01 (aka Pegasus Mail). For details, seehttp://www.pmail.com/ . I don't think this package is very popular, but some Windows users may use it as an easy to administer/install mailserver.

In addition, a number of vulnerabilities against the popular Cyrus IMAP server where released last week:http://security.e-matters.de/advisories/152004.html

---

Cheers:

There's an echo, echoo, echoo.....

Sorry Tiger, not enough coffee yet....... :rolleyes:

Cheers: