Firewall Wizards mailing list archives
Re: Spoofed SMTP _outbound_
From: epperson () pen k12 va us
Date: Wed, 23 Jan 2002 12:11:02 -0500
Hi, Thanks to the many who wrote with suggestions on identifying the source platform--we were already working to do that when I posted. We trapped the MAC address and identified it as a new Linux box which had been booted up on the DMZ with the manufacturer's default Linux install. What I was hoping for was for someone to recognize the traffic pattern and tell us what sort of trojan/worm/etc might be generating it. What we found was a rootkit installed via an anonymous ftp vulnerability. We have not been able to match this rootkit up to existing reports as yet. More when we know more. regards, j. firewall-wizards-request () nfr com wrote:
------------------------------------------------------------------------ Subject: RE: [fw-wiz] Spoofed SMTP _outbound_ Date: Thu, 17 Jan 2002 09:29:47 +0100 From: Karl Vogel <karl.vogel () seagha com> To: 'Jay Epperson' <jepperso () mail vak12ed edu>, firewall-wizards () nfr com If your router is a cisco, then you could add 'log-input' to the ACL. Once you do that, it will log the incoming interface and for ethernet it will show the MAC address of the source. Once you have the MAC address, you can determin which machine is doing the spoofing (if all the machines are connected by Catalyst switches, you can use 'show mac-address-table address xxxx.xxxx.xxxx' to find out to which port the machine is connected to). Regards, Karl. -----Original Message----- From: Jay Epperson [mailto:jepperso () mail vak12ed edu] Sent: Wednesday, January 16, 2002 22:14 To: firewall-wizards () nfr com Subject: [fw-wiz] Spoofed SMTP _outbound_ We're seeing source-spoofed traffic outbound from one of our segments to the SMTP port on a variety of outside addresses. The denials are like: denied tcp 99.99.99.9(1328) -> 00.00.00.159(25), 138 packets (not the real network numbers) Where the source address cycles through all addresses on the IP segment (1-254) and the destination stays fixed through such a run. Since the majority of the source addresses don't actually exist on our network, it smells like part of a DOS, or a one-way vulnerability attack intended to open up access to the target from somewhere besides here. Still working to capture enough information to identify the actual source platform, but if anyone can tell us what kind of animal we might be tracking, it could help. Boxes on the segment are all either Linux (new), HP-UX (mature), or AIX (ancient).
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Spoofed SMTP _outbound_ Jay Epperson (Jan 16)
- <Possible follow-ups>
- RE: Spoofed SMTP _outbound_ Karl Vogel (Jan 17)
- Re: Spoofed SMTP _outbound_ Antonomasia (Jan 18)
- Re: Spoofed SMTP _outbound_ epperson (Jan 23)