Vulnerability Development mailing list archives

Re: jump2.eudora.com

From: Fabio Roccatagliata <rocca () IGECUNIV CSITA UNIGE IT>
Date: Mon, 28 Aug 2000 10:59:31 +0200

It doesn't send any misterious information.
It simply checks out if any newer version is available.
No serials, codes or other personal informations are transmitted.

Fabio Roccatagliata

On Sun, 27 Aug 2000, William Daskaluk wrote:

So it sent a request to jump2.eudora.com which looks like the following...

GET /jump.cgi?action=update&platform=Windows 98
v.04.10.2222&product=Eudora&version=4.3.2

All that other junk in the tcpdump was just your computer negotiating a
connection.

Where exactly is this 'information' that eudora is sending?  It looks to me like
it is simply checking to see if a newer version of Eudora is available.


----- Original Message -----
From: "Peter Batenburg" <petertje () DEEJAYS NL>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Sunday, August 27, 2000 3:46 PM
Subject: actions to jump2.eudora.com

Hello,

after the last message, i fiddled with tcpdump.. and got the following:

[root@host /]% tcpdump -vvv -s 150 -x -X dst host jump2.eudora.com
tcpdump: listening on fxp0
21:26:14.591942 xxxxxxxxxxx.1299 > jump2.eudora.com.http: S 19009316:1900931
6(0) win 8192 <mss 1460,nop,nop,sackOK> (DF) (ttl 128, id 20808)
0x0000   4500 0030 5148 4000 8006 edbb 0a00 0001        E..0QH@.........
0x0010   d0b8 e10a 0513 0050 0122 0f24 0000 0000        .......P.".$....
0x0020   7002 2000 91b2 0000 0204 05b4 0101 0402        p...............
21:26:14.801079 xxxxxxxxxxxx.1299 > jump2.eudora.com.http: . 19009317:1900931
7(0) ack 1773137951 win 9520 (DF) (ttl 128, id 21064)
0x0000   4500 0028 5248 4000 8006 ecc3 0a00 0001        E..(RH@.........
0x0010   d0b8 e10a 0513 0050 0122 0f25 69af f01f        .......P.".%i...
0x0020   5010 2530 5f67 0000 0000 0000 0000             P.%0_g........
21:26:14.801591 xxxxxxxxxxxx.1299 > jump2.eudora.com.http: P 0:207(207) ack 1
  win 9520 (DF) (ttl 128, id 21320)
0x0000   4500 00f7 5348 4000 8006 eaf4 0a00 0001        E...SH@.........
0x0010   d0b8 e10a 0513 0050 0122 0f25 69af f01f        .......P.".%i...
0x0020   5018 2530 7d37 0000 4745 5420 2f6a 756d        P.%0}7..GET./jum
0x0030   702e 6367 693f 6163 7469 6f6e 3d75 7064        p.cgi?action=upd
0x0040   6174 6526 706c 6174 666f 726d 3d57 696e        ate&platform=Win
0x0050   646f 7773 2532 3039 3825 3230 762e 2532        dows%2098%20v.%2
0x0060   3034 2e31 302e 3232 3232 2670 726f 6475        04.10.2222&produ
0x0070   6374 3d45 7564 6f72 6126 7665 7273 696f        ct=Eudora&versio
0x0080   6e3d 342e 332e 322e                            n=4.3.2.

i think this is surely interessting.. eudora sending info without my
approving.. haven't we seen the same thing with serv-u?
at least my firewall has some new entries now..;)

         # Deny all TCP traffic to and from jump2.eudora.com (eudora backdoor)
         ${fwcmd} add deny tcp from any to 208.184.225.10
         ${fwcmd} add deny tcp from 208.184.225.10 to any

Greetings
Peter Batenburg
Groetjes
Petertje

Current thread:

jump2.eudora.com William Daskaluk (Aug 27)
- Re: jump2.eudora.com Matt Zimmerman (Aug 28)
  - Re: jump2.eudora.com Brad Griffin (Aug 28)
    - Re: jump2.eudora.com Erik Tayler (Aug 28)
    - Re: jump2.eudora.com Bluefish (P.Magnusson) (Aug 29)
  - Re: jump2.eudora.com Teicher, Mark (Aug 29)
- Re: jump2.eudora.com Fabio Roccatagliata (Aug 28)
  - Re: jump2.eudora.com Schlachter, Jake (Aug 28)
- <Possible follow-ups>
- Re: jump2.eudora.com Robert G. Ferrell (Aug 28)
- Re: jump2.eudora.com Perry Anton (Aug 28)
  - Re: jump2.eudora.com Brad Griffin (Aug 28)
  - Re: jump2.eudora.com Dragos Ruiu (Aug 28)
  - Re: jump2.eudora.com Jonathan Rickman (Aug 28)
- Re: jump2.eudora.com Blair Strang (Aug 28)
- Re: jump2.eudora.com Wolfgang Gassner (Aug 29)
- Re: jump2.eudora.com Laumann, Dave (Aug 30)
  - Re: jump2.eudora.com Bluefish (P.Magnusson) (Aug 31)