Security Incidents mailing list archives
Re: SMTP server (How can I find out the real source of an attack)
From: "Mike Lewinski" <mike () rockynet com>
Date: Fri, 13 Jul 2001 22:55:03 -0600
You might also want to sniff packets with tcpdump and see if anyone
else is
receiving the same treatment as Host_A. Or maybe run a packet sniffer and look at what is in the packets.
If the initial TCP handshake never completes, you won't get far looking at the packets. But there's another way. If you've a spare computer and can afford to take down that primary server for a little while, run this test: 1) Renumber the offending server (A) within the network it's trying to contact. Make it one IP higher or lower and then set it's gateway address to be the one it's trying to contact. The subnet mask can be a class C 255.255.255.0. 2) Setup another temporary SMTP server (B) and assign it the gateway address from #1 above. You can make it's gateway address the address from Server A (on the same ethernet segment you really don't need the gateways assigned). 3) Hook up servers A & B via crossover cable or alone on a hub and verify they can ping each other. 4) Look at the logs on server B. If Server A tries to send e-mail, you should be able to tell what domain is on the receiving end. Then define that user/domain as local to server B and let it go-- if it's really trying to send e-mail you'll have a copy for review. I used this technique when investigating the QAZ virus. It didn't quite work, I'm not sure if it's because the virus was coded to expect some response line my temporary MTA wasn't giving, or if the virus wasn't actually meant to send a complete e-mail anywhere (i.e. the creators were just scanning the SMTP connection logs for their victims-- why waste the bandwidth and cycles when all that's needed is an IP address). Mike ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- SMTP server (How can I find out the real source of an attack) MrG (Jul 12)
- Re: SMTP server (How can I find out the real source of an attack) Valdis . Kletnieks (Jul 13)
- Re: SMTP server (How can I find out the real source of an attack) Pavel Kankovsky (Jul 16)
- Re: SMTP server (How can I find out the real source of an attack Nick FitzGerald (Jul 17)
- Re: SMTP server (How can I find out the real source of an attack) Pavel Kankovsky (Jul 16)
- RE: SMTP server (How can I find out the real source of an attack) Mike Batchelor (Jul 13)
- Re: SMTP server (How can I find out the real source of an attack) kath (Jul 13)
- Re: SMTP server (How can I find out the real source of an attack) Mike Lewinski (Jul 16)
- <Possible follow-ups>
- RE: SMTP server (How can I find out the real source of an attack) Dean Cunningham (Jul 13)
- Re: SMTP server (How can I find out the real source of an attack) Valdis . Kletnieks (Jul 13)