Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Spamming, 'hidden' mail server

From: Jeff Bollinger <jeff01 () email unc edu>
Date: Thu, 09 Oct 2003 22:56:37 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Damian Gerow wrote:
| incidents () securityfocus com:
|
| I've been debugging a weird spamming problem lately -- customers with
almost
| zero technical knowledge have been spamming, and virus scans have not
shown
| anything yet.  Below is a dump of traffic traversing port 3101 of one
of our
| customers connections, which I've been looking at for the past couple of
| hours.
|
| This has moved from firewall-wizards@, which I am Cc:'ing in this.
|
| Moderator: I'm not sure exactly how on-topic this is, but I'm also not
sure
| where else to turn at this point.
|
| Thus spake Paul Robertson (proberts () patriot net) [08/10/03 18:20]:
|
|>>Since this has moved far and beyond the scope of the list, I'll
refrain from
|>>posting anything else.
|>
|>No fair, we wanna know what it was!
|
|
| Hmmm... I /thought/ it might be a variant of the autoproxy trojan:
|
|
<http://www.mail-archive.com/full-disclosure () lists netsys com/msg08569.html>
|
| But this looks remarkably like a remotely-started SMTP daemon, set up
as an
| open relay.  Take a look at this.  This doesn't look like a normal 3-way
| handshake.  Apologies for length:
|
|     17:56:07.675864 cashtonic.propagation.net.57871 >
cust.dsl2.sentex.ca.32101: S 1826083692:1826083692(0) win 5840 <mss
1460> (DF)
|     0x0000     4500 002c 9168 4000 2d06 d7b9 42dd d90a        E..,.h@.-...B...
|     0x0010     4007 88bb e20f 7d65 6cd7 d36c 0000 0000        @.....}el..l....
|     0x0020     6002 16d0 fcf2 0000 0204 05b4                  `...........
|     17:56:07.693071 cust.dsl2.sentex.ca.32101 >
cashtonic.propagation.net.57871: S 583475395:583475395(0) ack 1826083693
win 16968 <mss 1414> (DF)
|     0x0000     4500 002c 03c5 4000 7f06 135d 4007 88bb        E..,..@....]@...
|     0x0010     42dd d90a 7d65 e20f 22c7 20c3 6cd7 d36d        B...}e.."...l..m
|     0x0020     6012 4248 8e0d 0000 0204 0586 92f1             `.BH..........
|     17:56:07.733811 cashtonic.propagation.net.57871 >
cust.dsl2.sentex.ca.32101: . ack 1 win 5840 (DF)
|     0x0000     4500 0028 9169 4000 2d06 d7bc 42dd d90a        E..(.i@.-...B...
|     0x0010     4007 88bb e20f 7d65 6cd7 d36d 22c7 20c4        @.....}el..m"...
|     0x0020     5010 16d0 d114 0000                            P.......
|     17:56:07.733828 cashtonic.propagation.net.57871 >
cust.dsl2.sentex.ca.32101: F 1:1(0) ack 1 win 5840 (DF)
|     0x0000     4500 0028 916a 4000 2d06 d7bb 42dd d90a        E..(.j@.-...B...
|     0x0010     4007 88bb e20f 7d65 6cd7 d36d 22c7 20c4        @.....}el..m"...
|     0x0020     5011 16d0 d113 0000                            P.......
|     17:56:07.752423 cust.dsl2.sentex.ca.32101 >
cashtonic.propagation.net.57871: . ack 2 win 16968 (DF)
|     0x0000     4500 0028 03c6 4000 7f06 1360 4007 88bb        E..(..@....`@...
|     0x0010     42dd d90a 7d65 e20f 22c7 20c4 6cd7 d36e        B...}e.."...l..n
|     0x0020     5010 4248 a59b 0000 0000 1a47 48df             P.BH.......GH.
|     17:56:07.754633 cust.dsl2.sentex.ca.32101 >
cashtonic.propagation.net.57871: F 1:1(0) ack 2 win 16968 (DF)
|     0x0000     4500 0028 03c7 4000 7f06 135f 4007 88bb        E..(..@...._@...
|     0x0010     42dd d90a 7d65 e20f 22c7 20c4 6cd7 d36e        B...}e.."...l..n
|     0x0020     5011 4248 a59a 0000 0000 3820 d9c3             P.BH......8...
|     17:56:07.791436 cashtonic.propagation.net.57871 >
cust.dsl2.sentex.ca.32101: . ack 2 win 5840 (DF)
|     0x0000     4500 0028 0000 4000 2d06 6926 42dd d90a        E..(..@.-.i&B...
|     0x0010     4007 88bb e20f 7d65 6cd7 d36e 22c7 20c5        @.....}el..n"...
|     0x0020     5010 16d0 d112 0000                            P.......
|     17:57:36.978125 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: S
1688526831:1688526831(0) win 65535 <mss 1460,nop,nop,sackOK> (DF)
|     0x0000     4500 0030 c990 4000 7006 417d cfda 671d        E..0..@.p.A}..g.
|     0x0010     4007 88bb 1290 7d65 64a4 dfef 0000 0000        @.....}ed.......
|     0x0020     7002 ffff aedb 0000 0204 05b4 0101 0402        p...............
|     17:57:36.994738 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: S
605878698:605878698(0) ack 1688526832 win 16968 <mss
1414,nop,nop,sackOK> (DF)
|     0x0000     4500 0030 03d0 4000 7f06 f83d 4007 88bb        E..0..@....=@...
|     0x0010     cfda 671d 7d65 1290 241c f9aa 64a4 dff0        ..g.}e..$...d...
|     0x0020     7012 4248 4ee9 0000 0204 0586 0101 0402        p.BHN...........
|     17:57:37.060523 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: .
ack 1 win 65535 (DF)
|     0x0000     4500 0028 c9bd 4000 7006 4158 cfda 671d        E..(..@.p.AX..g.
|     0x0010     4007 88bb 1290 7d65 64a4 dff0 241c f9ab        @.....}ed...$...
|     0x0020     5010 ffff bdc7 0000                            P.......
|     17:57:37.060859 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: P
1:4(3) ack 1 win 65535 (DF)
|     0x0000     4500 002b c9bf 4000 7006 4153 cfda 671d        E..+.. ()  p AS..g.
|     0x0010     4007 88bb 1290 7d65 64a4 dff0 241c f9ab        @.....}ed...$...
|     0x0020     5018 ffff b8bb 0000 0501 00                    P..........
|     17:57:37.079841 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: P
1:3(2) ack 4 win 16965 (DF)
|     0x0000     4500 002a 03d1 4000 7f06 f842 4007 88bb        E..*..@....B@...
|     0x0010     cfda 671d 7d65 1290 241c f9ab 64a4 dff3        ..g.}e..$...d...
|     0x0020     5018 4245 7675 0000 0500 052b e9a1             P.BEvu.....+..
|     17:57:37.146869 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: P
4:14(10) ack 3 win 65533 (DF)
|     0x0000     4500 0032 c9fd 4000 7006 410e cfda 671d        E..2..@.p.A...g.
|     0x0010     4007 88bb 1290 7d65 64a4 dff3 241c f9ad        @.....}ed...$...
|     0x0020     5018 fffd af41 0000 0501 0001 0c1c fd39        P....A.........9
|     0x0030     0019                                           ..
|     17:57:37.225916 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: P
3:13(10) ack 14 win 16955 (DF)
|     0x0000     4500 0032 03d4 4000 7f06 f837 4007 88bb        E..2..@....7@...
|     0x0010     cfda 671d 7d65 1290 241c f9ad 64a4 dffd        ..g.}e..$...d...
|     0x0020     5018 423b a93f 0000 0500 0001 4007 88bb        P.B;.?......@...
|     0x0030     0468                                           .h
|     17:57:37.430926 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: .
ack 13 win 65523 (DF)
|     0x0000     4500 0028 cabe 4000 7006 4057 cfda 671d        E..(..@.p.@W..g.
|     0x0010     4007 88bb 1290 7d65 64a4 dffd 241c f9b7        @.....}ed...$...
|     0x0020     5010 fff3 bdba 0000                            P.......
|     17:57:37.450172 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: P
13:31(18) ack 14 win 16955 (DF)
|     0x0000     4500 003a 03d6 4000 7f06 f82d 4007 88bb        E..:..@....-@...
|     0x0010     cfda 671d 7d65 1290 241c f9b7 64a4 dffd        ..g.}e..$...d...
|     0x0020     5018 423b d7e7 0000 3232 3020 7365 7276        P.B;....220.serv
|     0x0030     6572 2075 7020 5831 0d0a                       er.up.X1..
|     17:57:37.517854 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: P
14:42(28) ack 31 win 65505 (DF)
|     0x0000     4500 0044 caea 4000 7006 400f cfda 671d        E..D..@.p.@...g.
|     0x0010     4007 88bb 1290 7d65 64a4 dffd 241c f9c9        @.....}ed...$...
|     0x0020     5018 ffe1 2a3a 0000 4845 4c4f 20.. ....        P...*:..HELO...c
|     0x0030     .... ..2e 6473 6c32 2e73 656e 7465 782e        ust.dsl2.sentex.
|     0x0040     6361 0d0a                                      ca..
|     17:57:37.599470 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: P
31:61(30) ack 42 win 16927 (DF)
|     0x0000     4500 0046 03d8 4000 7f06 f81f 4007 88bb        E..F..@.....@...
|     0x0010     cfda 671d 7d65 1290 241c f9c9 64a4 e019        ..g.}e..$...d...
|     0x0020     5018 421f 6635 0000 3235 3020 6865 6c6c        P.B.f5..250.hell
|     0x0030     6f20 6d61 696c 2e62 726f 776e 7363 6172        o.mail.brownscar
|     0x0040     2e63 6f6d 0d0a                                 .com..
|     17:57:37.665018 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: P
42:76(34) ack 61 win 65475 (DF)
|     0x0000     4500 004a cb56 4000 7006 3f9d cfda 671d        E..J.V@.p.?...g.
|     0x0010     4007 88bb 1290 7d65 64a4 e019 241c f9e7        @.....}ed...$...
|     0x0020     5018 ffc3 6332 0000 4d41 494c 2046 524f        P...c2..MAIL.FRO
|     0x0030     4d3a 203c 7433 6666 7176 3879 4074 6c63        M:.<t3ffqv8y@tlc
|     0x0040     6661 6e2e 636f 6d3e 0d0a                       fan.com>..
|     17:57:37.743826 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: P
61:69(8) ack 76 win 16893 (DF)
|     0x0000     4500 0030 03db 4000 7f06 f832 4007 88bb        E..0..@....2@...
|     0x0010     cfda 671d 7d65 1290 241c f9e7 64a4 e03b        ..g.}e..$...d..;
|     0x0020     5018 41fd 9c68 0000 3235 3020 6f6b 0d0a        P.A..h..250.ok..
|     17:57:37.809762 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: P
76:109(33) ack 69 win 65467 (DF)
|     0x0000     4500 0049 cbb1 4000 7006 3f43 cfda 671d        E..I..@.p.?C..g.
|     0x0010     4007 88bb 1290 7d65 64a4 e03b 241c f9ef        @.....}ed..;$...
|     0x0020     5018 ffbb 75c0 0000 5243 5054 2054 4f3a        P...u...RCPT.TO:
|     0x0030     203c 6362 6972 6368 4062 726f 776e 7363        .<cbirch@brownsc
|     0x0040     6172 2e63 6f6d 3e0d 0a                         ar.com>..
|     17:57:37.919530 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: P
69:108(39) ack 109 win 16860 (DF)
|     0x0000     4500 004f 03dd 4000 7f06 f811 4007 88bb        E..O..@.....@...
|     0x0010     cfda 671d 7d65 1290 241c f9ef 64a4 e05c        ..g.}e..$...d..\
|     0x0020     5018 41dc 4f29 0000 3235 3020 6f6b 2069        P.A.O)..250.ok.i
|     0x0030     7473 2066 6f72 203c 6362 6972 6368 4062        ts.for.<cbirch@b
|     0x0040     726f 776e 7363 6172 2e63 6f6d 3e0d 0a          rownscar.com>..
|     17:57:37.985600 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: P
109:142(33) ack 108 win 65428 (DF)
|     0x0000     4500 0049 cc2c 4000 7006 3ec8 cfda 671d        E..I.,@.p.>...g.
|     0x0010     4007 88bb 1290 7d65 64a4 e05c 241c fa16        @.....}ed..\$...
|     0x0020     5018 ff94 7ba1 0000 5243 5054 2054 4f3a        P...{...RCPT.TO:
|     0x0030     203c 6366 6162 6572 4062 726f 776e 7363        .<cfaber@brownsc
|     0x0040     6172 2e63 6f6d 3e0d 0a                         ar.com>..
|     17:57:38.089586 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: P
108:147(39) ack 142 win 16827 (DF)
|     0x0000     4500 004f 03df 4000 7f06 f80f 4007 88bb        E..O..@.....@...
|     0x0010     cfda 671d 7d65 1290 241c fa16 64a4 e07d        ..g.}e..$...d..}
|     0x0020     5018 41bb 5504 0000 3235 3020 6f6b 2069        P.A.U...250.ok.i
|     0x0030     7473 2066 6f72 203c 6366 6162 6572 4062        ts.for.<cfaber@b
|     0x0040     726f 776e 7363 6172 2e63 6f6d 3e0d 0a          rownscar.com>..
|     17:57:38.155389 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: P
142:148(6) ack 147 win 65389 (DF)
|     0x0000     4500 002e cc9b 4000 7006 3e74 cfda 671d        E.....@.p.>t..g.
|     0x0010     4007 88bb 1290 7d65 64a4 e07d 241c fa3d        @.....}ed..}$..=
|     0x0020     5018 ff6d 17a0 0000 4441 5441 0d0a             P..m....DATA..
|     17:57:38.229991 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: P
147:188(41) ack 148 win 16821 (DF)
|     0x0000     4500 0051 03e1 4000 7f06 f80b 4007 88bb        E..Q..@.....@...
|     0x0010     cfda 671d 7d65 1290 241c fa3d 64a4 e083        ..g.}e..$..=d...
|     0x0020     5018 41b5 a5e7 0000 3335 3420 6f6b 2c20        P.A.....354.ok,.
|     0x0030     7365 6e64 2069 743b 2065 6e64 2077 6974        send.it;.end.wit
|     0x0040     6820 3c43 524c 463e 2e3c 4352 4c46 3e0d        h.<CRLF>.<CRLF>.
|     0x0050     0a                                             .
|
| (I've replaced the customer's actual hostname with 'cust.dsl2.sentex.ca',
| and '.'ed out the hex.)
|
| Has anyone seen this before?  And now, I'm moving this from
firewall-wizards
| to incidents@.  If people on one list wish to remain updated, either
| subscribe to the securityfocus mailing list, or follow the archives.
|
| I've done a google search for 'server up X1', with no results.  Same for
| 'cashtonic.propagation.net', but opening it up in a web browser
resulted in
| a web page consisting solely of 'dfhjgkdfjk'.
|
|
- --------------------------------------------------------------------------- 
|
- ---------------------------------------------------------------------------- 
|


Stab in the dark, but it could be similar to an attack described and
documented {from Full-Disclosure}

http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/4747.html

I've seen similar activitiy from some hosts and the removal can be
tricky.  Found it easiest to back up the irreplaceable data, and wipe
the drive.  It's been similar to the Autoproxy Trojan which seems to
have been ruled out above, but I'm not ready to dismiss it yet.

Thanks,
Jeff

- --
Jeff Bollinger, CISSP
University of North Carolina
IT Security Analyst
105 Abernethy Hall
mailto: jeff @unc dot edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/hh/YvoVlxVBmgsURAkoHAJ4saY/59xR33P+Vter1BvySxU5Y2gCfVrKv
NG2/MU5cNf6MLoFsGCLJ1gI=
=czX/
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
----------------------------------------------------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: