Vulnerability Development mailing list archives
Re: jump2.eudora.com
From: Fabio Roccatagliata <rocca () IGECUNIV CSITA UNIGE IT>
Date: Mon, 28 Aug 2000 10:59:31 +0200
It doesn't send any misterious information. It simply checks out if any newer version is available. No serials, codes or other personal informations are transmitted. Fabio Roccatagliata On Sun, 27 Aug 2000, William Daskaluk wrote:
So it sent a request to jump2.eudora.com which looks like the following... GET /jump.cgi?action=update&platform=Windows 98 v.04.10.2222&product=Eudora&version=4.3.2 All that other junk in the tcpdump was just your computer negotiating a connection. Where exactly is this 'information' that eudora is sending? It looks to me like it is simply checking to see if a newer version of Eudora is available. ----- Original Message ----- From: "Peter Batenburg" <petertje () DEEJAYS NL> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Sunday, August 27, 2000 3:46 PM Subject: actions to jump2.eudora.comHello, after the last message, i fiddled with tcpdump.. and got the following: [root@host /]% tcpdump -vvv -s 150 -x -X dst host jump2.eudora.com tcpdump: listening on fxp0 21:26:14.591942 xxxxxxxxxxx.1299 > jump2.eudora.com.http: S 19009316:1900931 6(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 128, id 20808) 0x0000 4500 0030 5148 4000 8006 edbb 0a00 0001 E..0QH@......... 0x0010 d0b8 e10a 0513 0050 0122 0f24 0000 0000 .......P.".$.... 0x0020 7002 2000 91b2 0000 0204 05b4 0101 0402 p............... 21:26:14.801079 xxxxxxxxxxxx.1299 > jump2.eudora.com.http: . 19009317:1900931 7(0) ack 1773137951 win 9520 (DF) (ttl 128, id 21064) 0x0000 4500 0028 5248 4000 8006 ecc3 0a00 0001 E..(RH@......... 0x0010 d0b8 e10a 0513 0050 0122 0f25 69af f01f .......P.".%i... 0x0020 5010 2530 5f67 0000 0000 0000 0000 P.%0_g........ 21:26:14.801591 xxxxxxxxxxxx.1299 > jump2.eudora.com.http: P 0:207(207) ack 1 win 9520 (DF) (ttl 128, id 21320) 0x0000 4500 00f7 5348 4000 8006 eaf4 0a00 0001 E...SH@......... 0x0010 d0b8 e10a 0513 0050 0122 0f25 69af f01f .......P.".%i... 0x0020 5018 2530 7d37 0000 4745 5420 2f6a 756d P.%0}7..GET./jum 0x0030 702e 6367 693f 6163 7469 6f6e 3d75 7064 p.cgi?action=upd 0x0040 6174 6526 706c 6174 666f 726d 3d57 696e ate&platform=Win 0x0050 646f 7773 2532 3039 3825 3230 762e 2532 dows%2098%20v.%2 0x0060 3034 2e31 302e 3232 3232 2670 726f 6475 04.10.2222&produ 0x0070 6374 3d45 7564 6f72 6126 7665 7273 696f ct=Eudora&versio 0x0080 6e3d 342e 332e 322e n=4.3.2. i think this is surely interessting.. eudora sending info without my approving.. haven't we seen the same thing with serv-u? at least my firewall has some new entries now..;) # Deny all TCP traffic to and from jump2.eudora.com (eudora backdoor) ${fwcmd} add deny tcp from any to 208.184.225.10 ${fwcmd} add deny tcp from 208.184.225.10 to any Greetings Peter Batenburg Groetjes Petertje
Current thread:
- jump2.eudora.com William Daskaluk (Aug 27)
- Re: jump2.eudora.com Matt Zimmerman (Aug 28)
- Re: jump2.eudora.com Brad Griffin (Aug 28)
- Re: jump2.eudora.com Erik Tayler (Aug 28)
- Re: jump2.eudora.com Bluefish (P.Magnusson) (Aug 29)
- Re: jump2.eudora.com Brad Griffin (Aug 28)
- Re: jump2.eudora.com Teicher, Mark (Aug 29)
- Re: jump2.eudora.com Matt Zimmerman (Aug 28)
- Re: jump2.eudora.com Fabio Roccatagliata (Aug 28)
- Re: jump2.eudora.com Schlachter, Jake (Aug 28)
- <Possible follow-ups>
- Re: jump2.eudora.com Robert G. Ferrell (Aug 28)
- Re: jump2.eudora.com Perry Anton (Aug 28)
- Re: jump2.eudora.com Brad Griffin (Aug 28)
- Re: jump2.eudora.com Dragos Ruiu (Aug 28)
- Re: jump2.eudora.com Jonathan Rickman (Aug 28)
- Re: jump2.eudora.com Blair Strang (Aug 28)
- Re: jump2.eudora.com Wolfgang Gassner (Aug 29)
- Re: jump2.eudora.com Laumann, Dave (Aug 30)
- Re: jump2.eudora.com Bluefish (P.Magnusson) (Aug 31)