Security Incidents mailing list archives

Re: Odd identd behavior

From: <Steve.Cummings () barclayscapital com>
Date: Mon, 14 Nov 2005 18:30:51 -0000

My bet is that it is some sort of warez /irc server for illegal downloads

Would take an image of it and start poking around on the image to investigate, is it possible to take the server down?

-----Original Message-----
From: k levinson <levinson_k () yahoo com>
To: incidents () securityfocus com <incidents () securityfocus com>
CC: kyphros () gmail com <kyphros () gmail com>
Sent: Mon Nov 14 17:06:29 2005
Subject: Re: Odd identd behavior

220 and 530 messages can be SMTP, or they can be FTP
or something else.  The 220 plus the "crew" banner
would make me want to run a sniffer and/or point an
FTP client at that port to determine whether that's an
FTP banner, associated with FTP tagging / pubstro
activity.  The presence of lots of illegal warez files
such as DVD, games, etc. or much lower free disk space
than normal might also be a clue.

Because of the running process on the system on a
non-standard port, it seems fairly certain that a root
level compromise has occurred.  However, often you
will find FTP pubstro compromises where the
"attackers" have no knowledge or interest in what your
server is or the data on it.  A typical pubstro attack
will be a broad scan and compromise of lots of systems
with financial gain as the motive, with little time
and interest in reconnaisance or discovery of data. 
The ident port has been used in some past documented
pubstros, possibly because the firewall was configured
to allow use of that port in and out.

http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0411&L=security&T=0&F=&S=&P=2356

- karl levinson

__________________________________ 
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com

------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.

Internet communications are not secure and therefore the Barclays 
Group does not accept legal responsibility for the contents of this 
message.  Although the Barclays Group operates anti-virus programmes, 
it does not accept responsibility for any damage whatsoever that is 
caused by viruses being passed.  Any views or opinions presented are 
solely those of the author and do not necessarily represent those of the 
Barclays Group.  Replies to this email may be monitored by the Barclays 
Group for operational or business reasons.

------------------------------------------------------------------------

Current thread:

Odd identd behavior Mike Owen (Nov 14)
- Re: Odd identd behavior Christopher E. Cramer (Nov 14)
  - Re: Odd identd behavior kgp (Nov 14)
  - Re: Odd identd behavior Mike Owen (Nov 14)
- <Possible follow-ups>
- Re: Odd identd behavior k levinson (Nov 14)
- Re: Odd identd behavior Steve.Cummings (Nov 14)
- RE: Odd identd behavior Levenglick, Jeff (Nov 14)
  - Re: Odd identd behavior Brian Smith-Sweeney (Nov 14)
- RE: Odd identd behavior k levinson (Nov 14)
- RE: Odd identd behavior Andrew Simmons (Nov 14)
- RE: Odd identd behavior Levenglick, Jeff (Nov 15)
  - Re: Odd identd behavior Mike Owen (Nov 15)
    - Re: Odd identd behavior kgp (Nov 15)
    - Re: Odd identd behavior Ansgar -59cobalt- Wiechers (Nov 16)
    - Re: Odd identd behavior Barrie Dempster (Nov 16)
  - Re: Odd identd behavior Ansgar -59cobalt- Wiechers (Nov 16)

(Thread continues...)