Security Incidents mailing list archives

Re: Tracking proxies on port 1180/1182

From: Michael Scheidell <scheidell () secnap net>
Date: Mon, 21 Apr 2003 15:56:46 -0400 (EDT)

There was some discussion on Incidents last month about hidden Wingate 
proxy servers being installed on systems without the owner's knowledge,
listening on non-standard ports. I have since done some research on these 
and have discovered they are being installed by the Sobig.a (BigBoss) virus. 
This is something the AV companies missed in every analysis I have read. This
is unfortunate because these proxies are being used in a big way by spammers.
I have written an analysis of the method of infection from beginning to end:
 
http://www.lurhq.com/sobig.html


found mention of one in my spam log. wonder if 66.190.154.95 is spammers
ip address... also, interesting to see what happens when that comcast
customer's proxy is used to try to tell comcast they have a problem there:

3F1D43810F: reject: RCPT from
bgp552493bgs.ewndsr01.nj.comcast.net[68.38.184.185]: 554 Service
unavailable; Client host [68.38.184.185] blocked using
socks.relays.osirusoft.com; (2003/04/10) Open proxy: telnet(1181);
from=<Lisa2923f () mci com> to=<spamtrap () secnap net> proto=SMTP
helo=<66.190.154.95>

use it to talk to comcast's smtp server, just for fun.
 host -t mx comcast.net
comcast.net mail is handled by 0 mx00.comcast.net.
telnet 68.38.184.185 1181
MNGTR>mx00.comcast.net 25

mx00.comcast.net 25
Connecting to host mx00.comcast.net...Connected
571 Blocked for abuse 4/6/2003 Please send blacklist removal requests to
blacklist_comcastnet () cable comcast com - Be sure to include your mail
server IP address

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------

Current thread:

Tracking proxies on port 1180/1182 Joe Stewart (Apr 21)
- Re: Tracking proxies on port 1180/1182 George Bakos (Apr 21)
- Re: Tracking proxies on port 1180/1182 Michael Scheidell (Apr 21)