Vulnerability Development mailing list archives

jump2.eudora.com

From: William Daskaluk <redmage () BESTNET ORG>
Date: Sun, 27 Aug 2000 16:32:58 -0400

So it sent a request to jump2.eudora.com which looks like the following...

GET /jump.cgi?action=update&platform=Windows 98
v.04.10.2222&product=Eudora&version=4.3.2

All that other junk in the tcpdump was just your computer negotiating a
connection.

Where exactly is this 'information' that eudora is sending?  It looks to me like
it is simply checking to see if a newer version of Eudora is available.


----- Original Message -----
From: "Peter Batenburg" <petertje () DEEJAYS NL>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Sunday, August 27, 2000 3:46 PM
Subject: actions to jump2.eudora.com

Hello,

after the last message, i fiddled with tcpdump.. and got the following:

[root@host /]% tcpdump -vvv -s 150 -x -X dst host jump2.eudora.com
tcpdump: listening on fxp0
21:26:14.591942 xxxxxxxxxxx.1299 > jump2.eudora.com.http: S 19009316:1900931
6(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 128, id 20808)
0x0000   4500 0030 5148 4000 8006 edbb 0a00 0001        E..0QH@.........
0x0010   d0b8 e10a 0513 0050 0122 0f24 0000 0000        .......P.".$....
0x0020   7002 2000 91b2 0000 0204 05b4 0101 0402        p...............
21:26:14.801079 xxxxxxxxxxxx.1299 > jump2.eudora.com.http: . 19009317:1900931
7(0) ack 1773137951 win 9520 (DF) (ttl 128, id 21064)
0x0000   4500 0028 5248 4000 8006 ecc3 0a00 0001        E..(RH@.........
0x0010   d0b8 e10a 0513 0050 0122 0f25 69af f01f        .......P.".%i...
0x0020   5010 2530 5f67 0000 0000 0000 0000             P.%0_g........
21:26:14.801591 xxxxxxxxxxxx.1299 > jump2.eudora.com.http: P 0:207(207) ack 1
  win 9520 (DF) (ttl 128, id 21320)
0x0000   4500 00f7 5348 4000 8006 eaf4 0a00 0001        E...SH@.........
0x0010   d0b8 e10a 0513 0050 0122 0f25 69af f01f        .......P.".%i...
0x0020   5018 2530 7d37 0000 4745 5420 2f6a 756d        P.%0}7..GET./jum
0x0030   702e 6367 693f 6163 7469 6f6e 3d75 7064        p.cgi?action=upd
0x0040   6174 6526 706c 6174 666f 726d 3d57 696e        ate&platform=Win
0x0050   646f 7773 2532 3039 3825 3230 762e 2532        dows%2098%20v.%2
0x0060   3034 2e31 302e 3232 3232 2670 726f 6475        04.10.2222&produ
0x0070   6374 3d45 7564 6f72 6126 7665 7273 696f        ct=Eudora&versio
0x0080   6e3d 342e 332e 322e                            n=4.3.2.

i think this is surely interessting.. eudora sending info without my
approving.. haven't we seen the same thing with serv-u?
at least my firewall has some new entries now..;)

         # Deny all TCP traffic to and from jump2.eudora.com (eudora backdoor)
         ${fwcmd} add deny tcp from any to 208.184.225.10
         ${fwcmd} add deny tcp from 208.184.225.10 to any

Greetings
Peter Batenburg
Groetjes
Petertje

Current thread:

jump2.eudora.com William Daskaluk (Aug 27)
- Re: jump2.eudora.com Matt Zimmerman (Aug 28)
  - Re: jump2.eudora.com Brad Griffin (Aug 28)
    - Re: jump2.eudora.com Erik Tayler (Aug 28)
    - Re: jump2.eudora.com Bluefish (P.Magnusson) (Aug 29)
  - Re: jump2.eudora.com Teicher, Mark (Aug 29)
- Re: jump2.eudora.com Fabio Roccatagliata (Aug 28)
  - Re: jump2.eudora.com Schlachter, Jake (Aug 28)
- <Possible follow-ups>
- Re: jump2.eudora.com Robert G. Ferrell (Aug 28)
- Re: jump2.eudora.com Perry Anton (Aug 28)
  - Re: jump2.eudora.com Brad Griffin (Aug 28)

(Thread continues...)