Security Incidents mailing list archives
RE: SMTP server (How can I find out the real source of an attack)
From: "Mike Batchelor" <mikebat () tmcs net>
Date: Fri, 13 Jul 2001 10:45:44 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Whats in the mail queue on your SMTP server?
-----Original Message----- From: MrG [mailto:p2mask2_xti () yahoo com] Sent: Thursday, July 12, 2001 3:54 PM To: incidents () securityfocus com Subject: SMTP server (How can I find out the real source of an attack) 1.I have a SMTP server (behind my FW) who constantly (>7 times per second) is trying to establish a TCP=25 session to a host on the internet which is not a SMTP server (Host_A). 2.Host_A administrator let me know about this behavior. 3.Host_A administrator implement a filter to reject packets form my SMTP server 4.I verified on my FW this type of activity 5.With an sniffer between my FW internal card and my SMTP server I verified that constantly (at least 7 times per second) there is traffic between my SMTP server and Host_A. Always 9 frames, same size, same number of bytes (the set up of the connection + the reject from Host_A + the quit command from my SMTP server) 6.I disconnect from the network my SMTP server I know that my SMTP server has been compromise but how can I find out exactly the root of the problem. I really would like to know how I have been attack. Can someone give me a hint how to start looking at. I already look at several sites trying to find this but so far I haven't got any luck All feed back is appreciate. Thanks in advance __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ ------------------------------------------------------------------ ---------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBO08zyEksS4VV8BvHEQI9iACgtt1kAgxEqv4XtaMLVklLB7ffDKwAn2kf KAkYNNjxWPEX7zUOISKOE+uz =kSgX -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- SMTP server (How can I find out the real source of an attack) MrG (Jul 12)
- Re: SMTP server (How can I find out the real source of an attack) Valdis . Kletnieks (Jul 13)
- Re: SMTP server (How can I find out the real source of an attack) Pavel Kankovsky (Jul 16)
- Re: SMTP server (How can I find out the real source of an attack Nick FitzGerald (Jul 17)
- Re: SMTP server (How can I find out the real source of an attack) Pavel Kankovsky (Jul 16)
- RE: SMTP server (How can I find out the real source of an attack) Mike Batchelor (Jul 13)
- Re: SMTP server (How can I find out the real source of an attack) kath (Jul 13)
- Re: SMTP server (How can I find out the real source of an attack) Mike Lewinski (Jul 16)
- <Possible follow-ups>
- RE: SMTP server (How can I find out the real source of an attack) Dean Cunningham (Jul 13)
- Re: SMTP server (How can I find out the real source of an attack) Valdis . Kletnieks (Jul 13)