Security Incidents mailing list archives
SMTP bombing
From: palo () EBI EE (Kaupo Palo)
Date: Tue, 18 Jan 2000 18:17:53 +0200
Hi, I am curious about what is going on. For about 5 days my PC running SMTP is receiving SYN packets from an evidently spoofed IP. They come in about one minute series of four packets in ten minute to half a day intervals (no flooding). No connection is established. Making my linux ipchains catch the stuff I get e.g.: Jan 18 11:39:06 gemma kernel: Packet log: input DENY eth0 PROTO=6 210.61.58.13:2729 193.40.123.71:25 L=68 S=0x00 I=31746 F=0x4000 T=37 SYN (#1) (introduction of the DENY rules didn't stop bombing - so the reply packets seem to be of no interest to the originator) When I tcpdumped two 10 minute separated series I got the following, showing that the packet contents is altered each time. tcpfilter v0.1 11:39:06.165447 210.61.58.13.2729 > gemma.ebi.ee.smtp: tcp 0 (DF) 4500 0044 7c02 4000 2506 90f7 d23d 3a0d | E··D··@·%··÷Ò=:· | c128 7b47 0aa9 0019 09e7 09f7 0000 0000 | Á(·G·©···ç·÷···· | c002 4000 fbcf 0000 0204 05b4 0103 0300 | À·@·ûÏ·····´···· | 0101 080a 0002 e147 0000 0000 0101 0c06 | ······áG········ | 0000 9984 | ···· | 11:39:08.670021 210.61.58.13.2729 > gemma.ebi.ee.smtp: tcp 0 (DF) 4500 0044 7c10 4000 2506 90e9 d23d 3a0d | E··D··@·%··éÒ=:· | c128 7b47 0aa9 0019 09e7 09f7 0000 0000 | Á(·G·©···ç·÷···· | c002 4000 fbca 0000 0204 05b4 0103 0300 | À·@·ûÊ·····´···· | 0101 080a 0002 e14c 0000 0000 0101 0c06 | ······áL········ | 0000 9984 | ···· | 11:39:26.660819 210.61.58.13.2729 > gemma.ebi.ee.smtp: tcp 0 (DF) 4500 0044 7c82 4000 2506 9077 d23d 3a0d | E··D··@·%··wÒ=:· | c128 7b47 0aa9 0019 09e7 09f7 0000 0000 | Á(·G·©···ç·÷···· | c002 4000 fba6 0000 0204 05b4 0103 0300 | À·@·û¦·····´···· | 0101 080a 0002 e170 0000 0000 0101 0c06 | ······áp········ | 0000 9984 | ···· | 11:39:50.654910 210.61.58.13.2729 > gemma.ebi.ee.smtp: tcp 0 (DF) 4500 0044 7cfb 4000 2506 8ffe d23d 3a0d | E··D·û@·%··þÒ=:· | c128 7b47 0aa9 0019 09e7 09f7 0000 0000 | Á(·G·©···ç·÷···· | c002 4000 fb76 0000 0204 05b4 0103 0300 | À·@·ûv·····´···· | 0101 080a 0002 e1a0 0000 0000 0101 0c06 | ······á ········ | 0000 9984 | ···· | 11:48:55.202926 210.61.58.13.3166 > gemma.ebi.ee.smtp: tcp 0 (DF) 4500 0044 88fe 4000 2506 83fb d23d 3a0d | E··D·þ@·%··ûÒ=:· | c128 7b47 0c5e 0019 1330 e68e 0000 0000 | Á(·G·^···0æ····· | c002 4000 0de4 0000 0204 05b4 0103 0300 | À·@··ä·····´···· | 0101 080a 0002 e5e2 0000 0000 0101 0c06 | ······åâ········ | 0000 9b3f | ···? | 11:48:58.265849 210.61.58.13.3166 > gemma.ebi.ee.smtp: tcp 0 (DF) 4500 0044 8912 4000 2506 83e7 d23d 3a0d | E··D··@·%··çÒ=:· | c128 7b47 0c5e 0019 1330 e68e 0000 0000 | Á(·G·^···0æ····· | c002 4000 0ddf 0000 0204 05b4 0103 0300 | À·@··ß·····´···· | 0101 080a 0002 e5e7 0000 0000 0101 0c06 | ······åç········ | 0000 9b3f | ···? | 11:49:04.156118 210.61.58.13.3166 > gemma.ebi.ee.smtp: tcp 0 (DF) 4500 0044 892c 4000 2506 83cd d23d 3a0d | E··D·,@·%··ÍÒ=:· | c128 7b47 0c5e 0019 1330 e68e 0000 0000 | Á(·G·^···0æ····· | c002 4000 0dd3 0000 0204 05b4 0103 0300 | À·@··Ó·····´···· | 0101 080a 0002 e5f3 0000 0000 0101 0c06 | ······åó········ | 0000 9b3f | ···? | 11:49:16.257655 210.61.58.13.3166 > gemma.ebi.ee.smtp: tcp 0 (DF) 4500 0044 897f 4000 2506 837a d23d 3a0d | E··D··@·%···Ò=:· | c128 7b47 0c5e 0019 1330 e68e 0000 0000 | Á(·G·^···0æ····· | c002 4000 0dbb 0000 0204 05b4 0103 0300 | À·@··»·····´···· | 0101 080a 0002 e60b 0000 0000 0101 0c06 | ······æ········· | 0000 9b3f | ···? | 11:49:40.163501 210.61.58.13.3166 > gemma.ebi.ee.smtp: tcp 0 (DF) 4500 0044 8a11 4000 2506 82e8 d23d 3a0d | E··D··@·%··èÒ=:· | c128 7b47 0c5e 0019 1330 e68e 0000 0000 | Á(·G·^···0æ····· | c002 4000 0d8b 0000 0204 05b4 0103 0300 | À·@········´···· | 0101 080a 0002 e63b 0000 0000 0101 0c06 | ······æ;········ | 0000 9b3f | ···? | Any idea about what is going on? Kaupo
Current thread:
- Re: Strange behaviour, (continued)
- Re: Strange behaviour Richard Bejtlich (Jan 15)
- UDP probing [ trojan? ] mabrown () SECUREPIPE COM (Jan 17)
- Re: UDP probing [ trojan? ] Jose Nazario (Jan 18)
- Probe from UK Provider ? Duarte Cordeiro (Jan 18)
- Re: Probe from UK Provider ? Pauline van Winsen (Jan 19)
- Re: Probe from UK Provider ? Arrigo Triulzi (Jan 20)
- Re: Probe from UK Provider ? Gene Harris (Jan 20)
- Re: Probe from UK Provider ? Jason Witty (Jan 20)
- Solaris BSM Audit Logs Wozz (Jan 17)
- Re: Strange behaviour John Turner (Jan 17)
- SMTP bombing Kaupo Palo (Jan 18)
- Log tools? Chad Day (Jan 17)
- Re: Log tools? James Phillips (Jan 17)
- Re: Log tools? Gene Harris (Jan 18)
- Re: Log tools? Richard Trott (Jan 17)
- Re: Log tools? Pauline van Winsen (Jan 18)
- AMD/Port 100099 and portmap Daniel K. Boyd (Jan 18)
- Re: AMD/Port 100099 and portmap CyberPsychotic (Jan 18)
- Large quantity of traffic from amazon.com - source_port 3000 Peter Bates (Jan 13)
- Re: Port 4 Lutz Pressler (Jan 12)
- Re: Port 4 Vanja Hrustic (Jan 13)