Security Incidents mailing list archives

SMTP bombing

From: palo () EBI EE (Kaupo Palo)
Date: Tue, 18 Jan 2000 18:17:53 +0200


Hi,

I am curious about what is going on.  For about 5 days my PC running
SMTP is receiving SYN packets from an evidently spoofed IP.  They come
in about one minute series of four packets in ten minute to half
a day intervals (no flooding). No connection is established.  Making
my linux ipchains catch the stuff I get e.g.:

Jan 18 11:39:06 gemma kernel: Packet log: input DENY eth0 PROTO=6
210.61.58.13:2729 193.40.123.71:25 L=68 S=0x00 I=31746 F=0x4000 T=37
SYN (#1)

(introduction of the DENY rules didn't stop bombing - so the reply
packets seem to be of no interest to the originator)

When I tcpdumped two 10 minute separated series I got the following,
showing that the packet contents is altered each time.

tcpfilter v0.1

11:39:06.165447 210.61.58.13.2729 > gemma.ebi.ee.smtp: tcp 0 (DF)
      4500 0044 7c02 4000 2506 90f7 d23d 3a0d  | E··D··@·%··÷Ò=:· |
      c128 7b47 0aa9 0019 09e7 09f7 0000 0000  | Á(·G·©···ç·÷···· |
      c002 4000 fbcf 0000 0204 05b4 0103 0300  | À·@·ûÏ·····´···· |
      0101 080a 0002 e147 0000 0000 0101 0c06  | ······áG········ |
      0000 9984                                | ····             |
11:39:08.670021 210.61.58.13.2729 > gemma.ebi.ee.smtp: tcp 0 (DF)
      4500 0044 7c10 4000 2506 90e9 d23d 3a0d  | E··D··@·%··éÒ=:· |
      c128 7b47 0aa9 0019 09e7 09f7 0000 0000  | Á(·G·©···ç·÷···· |
      c002 4000 fbca 0000 0204 05b4 0103 0300  | À·@·ûÊ·····´···· |
      0101 080a 0002 e14c 0000 0000 0101 0c06  | ······áL········ |
      0000 9984                                | ····             |
11:39:26.660819 210.61.58.13.2729 > gemma.ebi.ee.smtp: tcp 0 (DF)
      4500 0044 7c82 4000 2506 9077 d23d 3a0d  | E··D··@·%··wÒ=:· |
      c128 7b47 0aa9 0019 09e7 09f7 0000 0000  | Á(·G·©···ç·÷···· |
      c002 4000 fba6 0000 0204 05b4 0103 0300  | À·@·û¦·····´···· |
      0101 080a 0002 e170 0000 0000 0101 0c06  | ······áp········ |
      0000 9984                                | ····             |
11:39:50.654910 210.61.58.13.2729 > gemma.ebi.ee.smtp: tcp 0 (DF)
      4500 0044 7cfb 4000 2506 8ffe d23d 3a0d  | E··D·û@·%··þÒ=:· |
      c128 7b47 0aa9 0019 09e7 09f7 0000 0000  | Á(·G·©···ç·÷···· |
      c002 4000 fb76 0000 0204 05b4 0103 0300  | À·@·ûv·····´···· |
      0101 080a 0002 e1a0 0000 0000 0101 0c06  | ······á ········ |
      0000 9984                                | ····             |
11:48:55.202926 210.61.58.13.3166 > gemma.ebi.ee.smtp: tcp 0 (DF)
      4500 0044 88fe 4000 2506 83fb d23d 3a0d  | E··D·þ@·%··ûÒ=:· |
      c128 7b47 0c5e 0019 1330 e68e 0000 0000  | Á(·G·^···0æ····· |
      c002 4000 0de4 0000 0204 05b4 0103 0300  | À·@··ä·····´···· |
      0101 080a 0002 e5e2 0000 0000 0101 0c06  | ······åâ········ |
      0000 9b3f                                | ···?             |
11:48:58.265849 210.61.58.13.3166 > gemma.ebi.ee.smtp: tcp 0 (DF)
      4500 0044 8912 4000 2506 83e7 d23d 3a0d  | E··D··@·%··çÒ=:· |
      c128 7b47 0c5e 0019 1330 e68e 0000 0000  | Á(·G·^···0æ····· |
      c002 4000 0ddf 0000 0204 05b4 0103 0300  | À·@··ß·····´···· |
      0101 080a 0002 e5e7 0000 0000 0101 0c06  | ······åç········ |
      0000 9b3f                                | ···?             |
11:49:04.156118 210.61.58.13.3166 > gemma.ebi.ee.smtp: tcp 0 (DF)
      4500 0044 892c 4000 2506 83cd d23d 3a0d  | E··D·,@·%··ÍÒ=:· |
      c128 7b47 0c5e 0019 1330 e68e 0000 0000  | Á(·G·^···0æ····· |
      c002 4000 0dd3 0000 0204 05b4 0103 0300  | À·@··Ó·····´···· |
      0101 080a 0002 e5f3 0000 0000 0101 0c06  | ······åó········ |
      0000 9b3f                                | ···?             |
11:49:16.257655 210.61.58.13.3166 > gemma.ebi.ee.smtp: tcp 0 (DF)
      4500 0044 897f 4000 2506 837a d23d 3a0d  | E··D··@·%···Ò=:· |
      c128 7b47 0c5e 0019 1330 e68e 0000 0000  | Á(·G·^···0æ····· |
      c002 4000 0dbb 0000 0204 05b4 0103 0300  | À·@··»·····´···· |
      0101 080a 0002 e60b 0000 0000 0101 0c06  | ······æ········· |
      0000 9b3f                                | ···?             |
11:49:40.163501 210.61.58.13.3166 > gemma.ebi.ee.smtp: tcp 0 (DF)
      4500 0044 8a11 4000 2506 82e8 d23d 3a0d  | E··D··@·%··èÒ=:· |
      c128 7b47 0c5e 0019 1330 e68e 0000 0000  | Á(·G·^···0æ····· |
      c002 4000 0d8b 0000 0204 05b4 0103 0300  | À·@········´···· |
      0101 080a 0002 e63b 0000 0000 0101 0c06  | ······æ;········ |
      0000 9b3f                                | ···?             |

Any idea about what is going on?

Kaupo

Current thread:

Re: Strange behaviour, (continued)
- - - Re: Strange behaviour Richard Bejtlich (Jan 15)
    - UDP probing [ trojan? ] mabrown () SECUREPIPE COM (Jan 17)
    - Re: UDP probing [ trojan? ] Jose Nazario (Jan 18)
    - Probe from UK Provider ? Duarte Cordeiro (Jan 18)
    - Re: Probe from UK Provider ? Pauline van Winsen (Jan 19)
    - Re: Probe from UK Provider ? Arrigo Triulzi (Jan 20)
    - Re: Probe from UK Provider ? Gene Harris (Jan 20)
    - Re: Probe from UK Provider ? Jason Witty (Jan 20)
    - Solaris BSM Audit Logs Wozz (Jan 17)
    - Re: Strange behaviour John Turner (Jan 17)
    - SMTP bombing Kaupo Palo (Jan 18)
    - Log tools? Chad Day (Jan 17)
    - Re: Log tools? James Phillips (Jan 17)
    - Re: Log tools? Gene Harris (Jan 18)
    - Re: Log tools? Richard Trott (Jan 17)
    - Re: Log tools? Pauline van Winsen (Jan 18)
    - AMD/Port 100099 and portmap Daniel K. Boyd (Jan 18)
    - Re: AMD/Port 100099 and portmap CyberPsychotic (Jan 18)
    - Large quantity of traffic from amazon.com - source_port 3000 Peter Bates (Jan 13)
    - Re: Port 4 Lutz Pressler (Jan 12)
    - Re: Port 4 Vanja Hrustic (Jan 13)

(Thread continues...)