RE: HTTP request with SMTP message

[Seamus Hartmann <shartmann () fujifilmesys com>]

Hey, just a quick note to let you know there IS a company that makes a nice
url rewrite engine for IIS.

http://www.isapirewrite.com/

Ok, true, it's an add on, so is mod_rewrite. Also, true, it requires that
you restart the Windows OS (you only have to restart the apache daemon when
you recompile apache for mod_rewrite). However, this product will do the
same thing that apache's mod_rewrite will do. The Lite version is free. NOT
GPL free, true. Not included in every version of IIS, true. But the
important thing is that IIS folk can do the same stuff that you can do with
apache, and that's the end goal here, I believe.

Check the FAQ and the documentation please, there's lots of examples on how
to write regex stuff for this type of issue.

I don't work for this company, but it's a nice little tool that I've used in
the past when inserted into microsoft sites...

YMMV of course.

Séamus Hartmann
CCNA, CISSP
Senior Network Engineer
Fuji Film, eSystems
(585) 340-4200


-----Original Message-----
From: Lorenzo Hernandez Garcia-Hierro [mailto:lorenzohgh () nsrg-security com] 
Sent: Monday, November 24, 2003 1:43 PM
To: Full-Disclosure; Tiago Halm
Subject: Re: [Full-disclosure] HTTP request with SMTP message


Hi Tiago,
This is the same abuse that normally affects Apache ( With Apache you can
use mod_rewrite to redirect this type of abuse to another url ) This is the
proof that open source is better :) In IIS you can set some rules ,or use
urlscan , etc . Try to install a IDS in front of the webserver and filter
the requests to HTTP that contain the headers of  a SMTP transfer.
___snippet of mod_rewrite for apache :)____

If you want to  use Apache instead of IIS :
:) its better of course !

RewriteEngine on

RewriteLog "/[log dir]/fsckers-smtp-t-http.log"

RewriteLogLevel 1

RewritCond  %{THE_REQUEST} CONNECT.*

RewriteRule /$ /youfuckerspammer.html [L]



why this ?

Because attackers normally use a netcat connection to dump the smtp relay
information for trabsfer emails , etc :

trulux@hell /home/trulux:$  netcat www.pooradmintothehell.foo 80 CONNECT
smtp.mail.yahoo.com:25 HTTP/1.0

and the webserver receive the CONNECT line , with mod_rewrite this request
will not work. If you want to see who is trying this simply check for apache
log entries like this: 127.0.0.1 - - [[date]] "CONNECT
smtp.mail.yahoo.com:25 HTTP /1.0" 200 203 "-" "-"

___/snippet___

I hope this post will help you a little to take the correct way for portect
your webserver :)

Best regards to all FD,
-------------------------------
0x00->Lorenzo Hernandez Garcia-Hierro
0x01->\x74\x72\x75\x6c\x75\x78
0x02->The truth is out there,
0x03-> outside your mind .
__________________________________
PGP: Keyfingerprint
4ACC D892 05F9 74F1 F453  7D62 6B4E B53E 9180 5F5B
ID: 0x91805F5B
**********************************
\x6e\x73\x72\x67
\x73\x65\x63\x75\x72\x69\x74\x79 \x72\x65\x73\x65\x61\x72\x63\x68
http://www.nsrg-security.com ______________________
----- Original Message ----- 
From: "Tiago Halm" <thalm () netcabo pt>
To: <full-disclosure () lists netsys com>
Sent: Monday, November 24, 2003 5:25 PM
Subject: [Full-disclosure] HTTP request with SMTP message


> It's not the first time, but I gave up trying to figure it out. My IIS 
> (port 80) received this HTTP request from x.x.x.x.
>
> Any thoughts ?
>
> ----------------------------------------------------------------------
> ----
--
> ----------
> POST http://x.x.x.x:25/ HTTP/1.1
> Content-type: application/octet-stream
> Content-length: 540
> Host: x.x.x.x
>
> HELO ps.com
> MAIL FROM:<vsuhfbovuhs () socal rr com>
> RCPT TO: <looc_si_maps () yahoo ie>
> DATA
> Message-ID: 
> <080083058050049051046050050046055052046050052052058052058056048 () ps co
> m>
> To: <looc_si_maps () yahoo ie>
> From:vsuhfbovuhs () socal rr com
> Subject: no doubt homie
> Date: Sat, 22 Nov 2003 10:06:34 -0800
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="Windows-1252"
> Content-Transfer-Encoding: 7bit
> X-Mailer: Microsoft Outlook Express 5.00.3018.1300
> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300
>
> Message Body
> .
> QUIT
> ----------------------------------------------------------------------
> ----
--
> ----------
>
> Tiago Halm
> http://www.kodeit.org
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html