RE: Odd identd behavior

["Levenglick, Jeff" <JLevenglick () fhlbatl com>]

Ok.. It looks like we are all confused.
This is why I said mail:

1) He checked his mail logs for connects that were not rfc correct. He found a few that did not ident correctly. The 
assumption now is that a smtp server or a telnet to port 25 connected to him. (more then likely to see if his server 
was not setup/patched correctly and would send spam)

So, based on that, one would assume that you would connect back to the ip in your log file on port 25 to see who they 
are. I think the problem is he did not say what port he connected on to ident them. Yes, it could be 
ident,netbui,smtp,ftp....ect

2) He did say that he thought there was a backdoor in the mail server. Because he is looking for and said mail server, 
I am assuming he connected on port 25 to them. Someone said nmap..ect to see a hidden port. Why.. assuming the above, 
we know the port and the assumption is an ftp server on port 25. (very strange, but who knows)

Mike,

what port did you connect ot them on?
also...if you connect on 25, what did it ident itself as? (ie: smtp server version or ftp server version)

rather then go through all of that...go to arin.net, do a whois on the ip address you have and if you have the time, 
call them.
I would not run nmap against someone else, you could find yourself in legal trouble.


-----Original Message-----
From:   Brian Smith-Sweeney [mailto:tinbox () nyct net]
Sent:   Mon 11/14/2005 3:27 PM
To:     Levenglick, Jeff; incidents () securityfocus com
Cc:     kgp () nethere com; Mike Owen; Christopher E. Cramer
Subject:        Re: Odd identd behavior

Everyone I believe did read his message.  Yes, he said mailserver logs,
but that's because the mailservers in question were connecting back to
the ident port which is fairly standard behavior.  What's not standard
is that they were getting a response back from the service listening on
the ident port that was not consistent with an ident server.  While 220
as you noted is a valid mailserver response, it's *not* a valid ident
server response.

The conclusion of "it looks like an FTP server" is based on the fact
that many warez kiddies install FTP servers on non-standard ports, and
that the remainder of the header (..:: ?lit?-Cr?w Rulez ::..) looks like
a warez banner.  The easiest way to verify would be to attempt FTP
protocol negotiation to the port in question to see what happens, but
I'm guessing the majority of folks who posted to the list are correct:
it's FTP.

Also, if you're going to attempt to correct people by citing RFC's, it's
best to use the right RFC. =) RFC 793 is TCP; RFC 2821 (and old 821)
discuss SMTP, which is I assume what you meant to reference.

My guess is the ::.. stuff is just to look cool, but I suppose it's
possible it has a dual purpose.

Cheers,
Brian
Levenglick, Jeff wrote:
> Ok.... It's a good thing we all read his message...
>
> He said mail server logs....
>
> 220 is a valid MAIL server response.  
> see http://www.rfc-editor.org/rfc/rfc793.txt   220 <domain> Service
> ready
>
> Where did ftp come from?
>
> Now.. Why does it say: 220 ..:: ?lit?-Cr?w Rulez ::....530 Not logged
> in...
>
> Because that is what they put as the ident of the mail server-  ..::
> ?lit?-Cr?w Rulez ::....530 Not logged in...
>
> My quick quess is that  ..:: when sent to a daemon could overflow or
> maybe do something it is not supposed to. (ie: a parse bug)
> Or the mail server was hacked and they replaced the ident of the box
> with their name. 
> OR the host was hacked and the host name was changed. Assuming a Unix
> box, did you check your host name?    hostname   or uname -a




-----------------------------------------
This e-mail message is private and may contain confidential or
privileged information.