Vulnerability Development mailing list archives

actions to jump2.eudora.com

From: Peter Batenburg <petertje () DEEJAYS NL>
Date: Sun, 27 Aug 2000 21:46:48 +0200

Hello,

after the last message, i fiddled with tcpdump.. and got the following:

[root@host /]% tcpdump -vvv -s 150 -x -X dst host jump2.eudora.com
tcpdump: listening on fxp0
21:26:14.591942 xxxxxxxxxxx.1299 > jump2.eudora.com.http: S 19009316:1900931
6(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 128, id 20808)
0x0000   4500 0030 5148 4000 8006 edbb 0a00 0001        E..0QH@.........
0x0010   d0b8 e10a 0513 0050 0122 0f24 0000 0000        .......P.".$....
0x0020   7002 2000 91b2 0000 0204 05b4 0101 0402        p...............
21:26:14.801079 xxxxxxxxxxxx.1299 > jump2.eudora.com.http: . 19009317:1900931
7(0) ack 1773137951 win 9520 (DF) (ttl 128, id 21064)
0x0000   4500 0028 5248 4000 8006 ecc3 0a00 0001        E..(RH@.........
0x0010   d0b8 e10a 0513 0050 0122 0f25 69af f01f        .......P.".%i...
0x0020   5010 2530 5f67 0000 0000 0000 0000             P.%0_g........
21:26:14.801591 xxxxxxxxxxxx.1299 > jump2.eudora.com.http: P 0:207(207) ack 1
 win 9520 (DF) (ttl 128, id 21320)
0x0000   4500 00f7 5348 4000 8006 eaf4 0a00 0001        E...SH@.........
0x0010   d0b8 e10a 0513 0050 0122 0f25 69af f01f        .......P.".%i...
0x0020   5018 2530 7d37 0000 4745 5420 2f6a 756d        P.%0}7..GET./jum
0x0030   702e 6367 693f 6163 7469 6f6e 3d75 7064        p.cgi?action=upd
0x0040   6174 6526 706c 6174 666f 726d 3d57 696e        ate&platform=Win
0x0050   646f 7773 2532 3039 3825 3230 762e 2532        dows%2098%20v.%2
0x0060   3034 2e31 302e 3232 3232 2670 726f 6475        04.10.2222&produ
0x0070   6374 3d45 7564 6f72 6126 7665 7273 696f        ct=Eudora&versio
0x0080   6e3d 342e 332e 322e                            n=4.3.2.

i think this is surely interessting.. eudora sending info without my
approving.. haven't we seen the same thing with serv-u?
at least my firewall has some new entries now..;)

        # Deny all TCP traffic to and from jump2.eudora.com (eudora backdoor)
        ${fwcmd} add deny tcp from any to 208.184.225.10
        ${fwcmd} add deny tcp from 208.184.225.10 to any

Greetings
Peter Batenburg
Groetjes
Petertje

Current thread:

actions to jump2.eudora.com Peter Batenburg (Aug 27)
- Re: actions to jump2.eudora.com Igor Mozolevsky (Aug 27)
- Re: actions to jump2.eudora.com sigfrid (Aug 27)
  - Re: actions to jump2.eudora.com Bluefish (P.Magnusson) (Aug 28)
  - Re: actions to jump2.eudora.com Bluefish (P.Magnusson) (Aug 28)
- Re: actions to jump2.eudora.com Bluefish (P.Magnusson) (Aug 28)
- Re: actions to jump2.eudora.com Bluefish (P.Magnusson) (Aug 28)