Security Incidents mailing list archives
Re: Odd identd behavior
From: <Steve.Cummings () barclayscapital com>
Date: Mon, 14 Nov 2005 18:30:51 -0000
My bet is that it is some sort of warez /irc server for illegal downloads Would take an image of it and start poking around on the image to investigate, is it possible to take the server down? -----Original Message----- From: k levinson <levinson_k () yahoo com> To: incidents () securityfocus com <incidents () securityfocus com> CC: kyphros () gmail com <kyphros () gmail com> Sent: Mon Nov 14 17:06:29 2005 Subject: Re: Odd identd behavior 220 and 530 messages can be SMTP, or they can be FTP or something else. The 220 plus the "crew" banner would make me want to run a sniffer and/or point an FTP client at that port to determine whether that's an FTP banner, associated with FTP tagging / pubstro activity. The presence of lots of illegal warez files such as DVD, games, etc. or much lower free disk space than normal might also be a clue. Because of the running process on the system on a non-standard port, it seems fairly certain that a root level compromise has occurred. However, often you will find FTP pubstro compromises where the "attackers" have no knowledge or interest in what your server is or the data on it. A typical pubstro attack will be a broad scan and compromise of lots of systems with financial gain as the motive, with little time and interest in reconnaisance or discovery of data. The ident port has been used in some past documented pubstros, possibly because the firewall was configured to allow use of that port in and out. http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0411&L=security&T=0&F=&S=&P=2356 - karl levinson __________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com ------------------------------------------------------------------------ For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. ------------------------------------------------------------------------
Current thread:
- Odd identd behavior Mike Owen (Nov 14)
- Re: Odd identd behavior Christopher E. Cramer (Nov 14)
- Re: Odd identd behavior kgp (Nov 14)
- Re: Odd identd behavior Mike Owen (Nov 14)
- <Possible follow-ups>
- Re: Odd identd behavior k levinson (Nov 14)
- Re: Odd identd behavior Steve.Cummings (Nov 14)
- RE: Odd identd behavior Levenglick, Jeff (Nov 14)
- Re: Odd identd behavior Brian Smith-Sweeney (Nov 14)
- RE: Odd identd behavior k levinson (Nov 14)
- RE: Odd identd behavior Andrew Simmons (Nov 14)
- RE: Odd identd behavior Levenglick, Jeff (Nov 15)
- Re: Odd identd behavior Mike Owen (Nov 15)
- Re: Odd identd behavior kgp (Nov 15)
- Re: Odd identd behavior Ansgar -59cobalt- Wiechers (Nov 16)
- Re: Odd identd behavior Barrie Dempster (Nov 16)
- Re: Odd identd behavior Mike Owen (Nov 15)
- Re: Odd identd behavior Ansgar -59cobalt- Wiechers (Nov 16)
- Re: Odd identd behavior Christopher E. Cramer (Nov 14)