Vulnerability Development mailing list archives
jump2.eudora.com
From: William Daskaluk <redmage () BESTNET ORG>
Date: Sun, 27 Aug 2000 16:32:58 -0400
So it sent a request to jump2.eudora.com which looks like the following... GET /jump.cgi?action=update&platform=Windows 98 v.04.10.2222&product=Eudora&version=4.3.2 All that other junk in the tcpdump was just your computer negotiating a connection. Where exactly is this 'information' that eudora is sending? It looks to me like it is simply checking to see if a newer version of Eudora is available. ----- Original Message ----- From: "Peter Batenburg" <petertje () DEEJAYS NL> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Sunday, August 27, 2000 3:46 PM Subject: actions to jump2.eudora.com
Hello, after the last message, i fiddled with tcpdump.. and got the following: [root@host /]% tcpdump -vvv -s 150 -x -X dst host jump2.eudora.com tcpdump: listening on fxp0 21:26:14.591942 xxxxxxxxxxx.1299 > jump2.eudora.com.http: S 19009316:1900931 6(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 128, id 20808) 0x0000 4500 0030 5148 4000 8006 edbb 0a00 0001 E..0QH@......... 0x0010 d0b8 e10a 0513 0050 0122 0f24 0000 0000 .......P.".$.... 0x0020 7002 2000 91b2 0000 0204 05b4 0101 0402 p............... 21:26:14.801079 xxxxxxxxxxxx.1299 > jump2.eudora.com.http: . 19009317:1900931 7(0) ack 1773137951 win 9520 (DF) (ttl 128, id 21064) 0x0000 4500 0028 5248 4000 8006 ecc3 0a00 0001 E..(RH@......... 0x0010 d0b8 e10a 0513 0050 0122 0f25 69af f01f .......P.".%i... 0x0020 5010 2530 5f67 0000 0000 0000 0000 P.%0_g........ 21:26:14.801591 xxxxxxxxxxxx.1299 > jump2.eudora.com.http: P 0:207(207) ack 1 win 9520 (DF) (ttl 128, id 21320) 0x0000 4500 00f7 5348 4000 8006 eaf4 0a00 0001 E...SH@......... 0x0010 d0b8 e10a 0513 0050 0122 0f25 69af f01f .......P.".%i... 0x0020 5018 2530 7d37 0000 4745 5420 2f6a 756d P.%0}7..GET./jum 0x0030 702e 6367 693f 6163 7469 6f6e 3d75 7064 p.cgi?action=upd 0x0040 6174 6526 706c 6174 666f 726d 3d57 696e ate&platform=Win 0x0050 646f 7773 2532 3039 3825 3230 762e 2532 dows%2098%20v.%2 0x0060 3034 2e31 302e 3232 3232 2670 726f 6475 04.10.2222&produ 0x0070 6374 3d45 7564 6f72 6126 7665 7273 696f ct=Eudora&versio 0x0080 6e3d 342e 332e 322e n=4.3.2. i think this is surely interessting.. eudora sending info without my approving.. haven't we seen the same thing with serv-u? at least my firewall has some new entries now..;) # Deny all TCP traffic to and from jump2.eudora.com (eudora backdoor) ${fwcmd} add deny tcp from any to 208.184.225.10 ${fwcmd} add deny tcp from 208.184.225.10 to any Greetings Peter Batenburg Groetjes Petertje
Current thread:
- jump2.eudora.com William Daskaluk (Aug 27)
- Re: jump2.eudora.com Matt Zimmerman (Aug 28)
- Re: jump2.eudora.com Brad Griffin (Aug 28)
- Re: jump2.eudora.com Erik Tayler (Aug 28)
- Re: jump2.eudora.com Bluefish (P.Magnusson) (Aug 29)
- Re: jump2.eudora.com Brad Griffin (Aug 28)
- Re: jump2.eudora.com Teicher, Mark (Aug 29)
- Re: jump2.eudora.com Matt Zimmerman (Aug 28)
- Re: jump2.eudora.com Fabio Roccatagliata (Aug 28)
- Re: jump2.eudora.com Schlachter, Jake (Aug 28)
- <Possible follow-ups>
- Re: jump2.eudora.com Robert G. Ferrell (Aug 28)
- Re: jump2.eudora.com Perry Anton (Aug 28)
- Re: jump2.eudora.com Brad Griffin (Aug 28)