SSLv3 attack on pop3?
We turned off SSLv3 support on our pop/imap running dovecot on Oct 16th, we did check that all users where using TLSv1 and there have been no complaints (except one old windows-phone).
But at 13:00 UTC today, suddenly strange entries is seen in the logfile: Error: SSL: Stacked error: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message: SSL alert number 10
Followed by: pop3-login: Disconnected (no auth attempts in 2 secs) user=<>, rip=
Some 20 ips have been seen so far, all ips are uniq and none have used our server lately. Just one resoved and it's name ends .cn, some lookups with whois leads to the same origin for all.
This makes me anxious that some have made some poodle-like thing for pop3?
hmk
On 10/31/2014 3:02 PM, Hans Morten Kind Kind@adm.uib.no wrote:
We turned off SSLv3 support on our pop/imap running dovecot on Oct 16th, we did check that all users where using TLSv1 and there have been no complaints (except one old windows-phone).
But at 13:00 UTC today, suddenly strange entries is seen in the logfile: Error: SSL: Stacked error: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message: SSL alert number 10
Followed by: pop3-login: Disconnected (no auth attempts in 2 secs) user=<>, rip=
Some 20 ips have been seen so far, all ips are uniq and none have used our server lately. Just one resoved and it's name ends .cn, some lookups with whois leads to the same origin for all.
This makes me anxious that some have made some poodle-like thing for pop3?
Can you show full log entries?
On Fri, Oct 31, 2014 at 03:47:33PM -0400, Charles Marcus wrote:
On 10/31/2014 3:02 PM, Hans Morten Kind Kind@adm.uib.no wrote:
This makes me anxious that some have made some poodle-like thing for pop3?
Can you show full log entries?
There is much more to show, but have a peek on port 995 with https://isc.sans.edu/port.html
The boost seems to have passed hmk
participants (2)
-
Charles Marcus
-
Hans Morten Kind