Re: Spoofed SMTP _outbound_

[epperson () pen k12 va us]

Hi,

Thanks to the many who wrote with suggestions on identifying the source platform--we were already working
to do that when I posted.  We trapped the MAC address and identified it as a new Linux box which had been
booted up on the DMZ with the manufacturer's default Linux install.

What I was hoping for was for someone to recognize the traffic pattern and tell us what sort of trojan/worm/etc
might be generating it.  What we found was a rootkit installed via an anonymous ftp vulnerability.  We have not
been able to match this rootkit up to existing reports as yet.  More when we know more.

regards,
j.

firewall-wizards-request () nfr com wrote:

>   ------------------------------------------------------------------------
>
> Subject: RE: [fw-wiz] Spoofed SMTP _outbound_
> Date: Thu, 17 Jan 2002 09:29:47 +0100
> From: Karl Vogel <karl.vogel () seagha com>
> To: 'Jay Epperson' <jepperso () mail vak12ed edu>,
>      firewall-wizards () nfr com
>
> If your router is a cisco, then you could add 'log-input' to the ACL. Once
> you
> do that, it will log the incoming interface and for ethernet it will show
> the
> MAC address of the source. Once you have the MAC address, you can determin
> which
> machine is doing the spoofing (if all the machines are connected by Catalyst
> switches, you can use  'show mac-address-table address xxxx.xxxx.xxxx' to
> find
> out to which port the machine is connected to).
>
> Regards,
> Karl.
>
> -----Original Message-----
> From: Jay Epperson [mailto:jepperso () mail vak12ed edu]
> Sent: Wednesday, January 16, 2002 22:14
> To: firewall-wizards () nfr com
> Subject: [fw-wiz] Spoofed SMTP _outbound_
>
> We're seeing source-spoofed traffic outbound from one of our segments to the
> SMTP port on a variety of outside addresses.  The denials are like:
>
> denied tcp 99.99.99.9(1328) -> 00.00.00.159(25), 138 packets
>
> (not the real network numbers)
> Where the source address cycles through all addresses on the IP segment
> (1-254) and the destination stays fixed through such a run.  Since the
> majority of the source addresses don't actually exist on our network, it
> smells like part of a DOS, or a one-way vulnerability attack intended to
> open up access to the target from somewhere besides here.  Still working to
> capture enough information to identify the actual source platform, but if
> anyone can tell us what kind of animal we might be tracking, it could help.
> Boxes on the segment are all either Linux (new), HP-UX (mature), or AIX
> (ancient).

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards