Re: Odd sendmail behavior

[Etaoin Shrdlu <shrdlu () deaddrop org>]

Nigel Frankcom wrote:
> Just a thought....
> Could it be a probe for a webmail interface?

I really don't think so, although I'm willing to consider a request for a
proxy server.

> On Thu, 05 Sep 2002 13:07:29 -0700, you [Michael Katz] wrote:
>
> > At 9/5/2002 11:34 AM, Etaoin Shrdlu wrote:
> >
> > > I saved a full session of one of the attempts on my local machine (seven
> > > packets worth) from ethereal. There was also an initial attempt to validate
> > > as user "tcpwrappers" which I found a bit odd. Those are the only things
> > > beyond log entries, and of course the packets are incomplete (since the
> > > attempts were blocked). The odd and unique thing is that the initial
> > > payload was:
> > >
> > > > GET http://www.yahoo.com/ HTTP/1.1
> > > > Host: www.yahoo.com
> > > > Accept: */*
> > > > Pragma: no-cache
> > > > User-Agent: Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)
> >
> > That looks like someone scanning for a proxy server.  Typically these scans
> > are limited to ports 80, 1080, 3128, and 8080, but maybe somebody has found
> > a reason to look for proxy servers on SMTP ports.

I would believe the proxy server attempt, both from timing, and from
address space (google had just recently been blocked in China, and this
address is from deep inside China). The following packet (from tcpdump
rereading the file) is the actual payload. Note that there is nothing
SMTPish looking about this, and it sure is an odd mail message. Given that
I'm running portsentry on this box (this is NOT from the Solaris 2.6 intel
box, which is not mine), and given that I log every connection multiple
times, I can tell you that port 25 was the ONLY port tried.

22:53:30.082974 218.25.133.149.4536 > my.internal.machine.smtp: P
1:152(151) ack 1 win 16384 (DF)
  0000: 4500 00bf 5d37 4000 6e06 9b2d da19 8595  E...]7@.n..-....
  0010: 4003 7422 11b8 0019 0ad0 8366 a1fe 5351  @.t".......f..SQ
  0020: 5018 4000 7664 0000 4745 5420 6874 7470  P. ()  vd  GET http
  0030: 3a2f 2f77 7777 2e79 6168 6f6f 2e63 6f6d  ://www.yahoo.com
  0040: 2f20 4854 5450 2f31 2e31 0d0a 486f 7374  / HTTP/1.1..Host
  0050: 3a20 7777 772e 7961 686f 6f2e 636f 6d0d  : www.yahoo.com.
  0060: 0a41 6363 6570 743a 202a 2f2a 0d0a 5072  .Accept: */*..Pr
  0070: 6167 6d61 3a20 6e6f 2d63 6163 6865 0d0a  agma: no-cache..
  0080: 5573 6572 2d41 6765 6e74 3a20 4d6f 7a69  User-Agent: Mozi
  0090: 6c6c 612f 342e 3020 2863 6f6d 7061 7469  lla/4.0 (compati
  00a0: 626c 653b 204d 5349 4520 342e 3031 3b20  ble; MSIE 4.01; 
  00b0: 5769 6e64 6f77 7320 3938 290d 0a0d 0a    Windows 98)....

What's even odder is that every machine I had was scanned, but only the
ones running sendmail got more than a SYN packet. The other machines don't
accept incoming 25, and sent back an immediate RST, although if I'd known
it was going to be something interesting, I'd have opened one up to see
what came next.

--
...some sort of steganographic chaffing and winnowing scheme
already exists in practice right here: I frequently find myself
having to sort through large numbers of idiotic posts to find
the good ones.   -- Rufus Faloofus

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com