Security Basics mailing list archives
RE: Need your help!!!
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Tue, 23 Sep 2003 16:37:24 +0100
use either fport or netstat -ano to find out what processes are listening on all those ports, and send it to the list please. I cannot imagine that that many ports are open for what you are running. my gut feeling is that you are compromised. So please send output of fport (from foundstone.com) so you can see what processes have those ports open, and start checking the binaries that own those ports against the hash sums of known good binaries. -----Original Message----- From: Birl [mailto:sbirl () temple edu] Sent: Monday, September 22, 2003 6:54 PM To: security-basics () securityfocus com Subject: Re: Need your help!!! As it was written on Sep 20, thus chang zhu typed: Chang: Date: Sat, 20 Sep 2003 08:19:39 -0700 (PDT) Chang: From: chang zhu <cyz2000 () yahoo com> Chang: Chang: Hi, all Chang: Chang: Some people connect to my exchange 2000 server every Chang: day and sent all spams out. When I go to current Chang: sessions under SMTP protols and default SMTP virtual Chang: server from exchange system manager, I can see these Chang: people's connections and IP address (no domain name Chang: shown up and only fake name and IP shows). I do not Chang: know how to block them. Ummm ... a firewall? Chang: This is exchange 2000 server Chang: with SP3 and behind PIX firewall. We only open port Chang: 25, 443 and 80 for this exch 2k server on PIX. MX Chang: reocrd points to this server. If I use NMAP Chang: to scan this box internally, here are ports open: Chang: Chang: Chang: 25/tcp open smtp Chang: 80/tcp open http Chang: 110/tcp open pop-3 Chang: 119/tcp open nntp Chang: 135/tcp open loc-srv Chang: 139/tcp open netbios-ssn Chang: 143/tcp open imap2 Chang: 443/tcp open https Chang: 445/tcp open microsoft-ds Chang: 563/tcp open snews Chang: 593/tcp open http-rpc-epmap Chang: 691/tcp open resvc Chang: 993/tcp open imaps Chang: 995/tcp open pop3s Chang: 3372/tcp open msdtc Chang: 3389/tcp open ms-term-serv Chang: 6000/tcp open X11 Chang: 6001/tcp open X11:1 Chang: 6003/tcp open X11:3 Chang: 6005/tcp open X11:5 Chang: 7001/tcp open afs3-callback Chang: 8081/tcp open blackice-icecap Chang: Chang: x11? X11 is X-windows. More-or-less windows for a UNIX machine. But since you're running Windoze, Im not sure what's listening on TCP 600[0-1,3,5] Recommend you get nmap 3.45 and run it with the newly added -sV flag to see what's listening. Moreover, you should download TCPView and leave it running. (and you should make sure that your lines below dont word-wrap) Chang: When I do netstat -na, the followings shown on the part of result; Chang: Chang: TCP 127.0.0.1:25 127.0.0.1:54441 TIME_WAIT Chang: TCP 127.0.0.1:25 127.0.0.1:54898 TIME_WAIT Chang: TCP 127.0.0.1:25 127.0.0.1:54904 TIME_WAIT Chang: TCP 127.0.0.1:25 127.0.0.1:54914 TIME_WAIT Chang: TCP 127.0.0.1:25 127.0.0.1:54916 TIME_WAIT Chang: TCP 127.0.0.1:25 127.0.0.1:54988 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54433 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54434 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54442 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54443 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54444 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54445 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54446 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54454 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54890 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54893 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54903 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54911 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54913 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54915 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54917 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54918 TIME_WAIT Chang: TCP 127.0.0.2:25 127.0.0.2:54919 TIME_WAIT Chang: TCP 127.0.0.100:25 127.0.0.100:54905 TIME_WAIT Chang: TCP 127.0.0.100:25 127.0.0.100:54912 TIME_WAIT Chang: TCP 127.0.1.50:25 127.0.1.50:54456 TIME_WAIT Chang: Chang: THis server is not an open relay server and how Chang: spammers can connect this server to send all spams out Chang: from different domain address? Chang: Chang: Due to limited experience, I am not able to tackle it Chang: down. Many anti-spam company put our sever on their Chang: lists. I ask them to send me report that indicated Chang: all spams truly went out through my server from mail Chang: header info. Chang: Chang: I need to resolve this ASAP and any suggestion or Chang: solutions will be greatly appreciated. Chang: Chang: Chang: Thanks for all your attention and help, These are all internal IPs. Do you know if these IPs are actually in use, or do you think they are forged? I see you mentioned "... fake name and IP ..." but I do not see any "fake" names Thanks Scott Birl http://concept.temple.edu/sysadmin/ Senior Systems Administrator Computer Services Temple University ====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*= ===* --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Need your help!!! chang zhu (Sep 22)
- Re: Need your help!!! Birl (Sep 22)
- RES: Need your help!!! Pastinha (Sep 23)
- <Possible follow-ups>
- RE: Need your help!!! Tenorio, Leandro (Sep 22)
- RE: Need your help!!! Dade McHugh (Sep 23)
- RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! Dade McHugh (Sep 23)
- RE: Need your help!!! chang zhu (Sep 22)
- RE: Need your help!!! Meidinger Chris (Sep 23)
- RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! Virgil Cui (Sep 23)
- Re: Need your help!!! Birl (Sep 22)