Security Incidents mailing list archives
Re: Odd identd behavior
From: "Christopher E. Cramer" <chris.cramer () duke edu>
Date: Mon, 14 Nov 2005 11:31:20 -0500 (EST)
Mike,This looks like the output from an FTP server. If I had to guess, I would say that this looks like someone compromised a machine and installed a warez ftp server on the identd port.
-c -- Christopher E. Cramer, Ph.D. University Information Technology Security Officer Duke University, Office of Information Technology 334 Blackwell St., Suite 2106, Durham, NC 27701 PH: 919-660-7003 FAX: 919-668-2953 CELL: 919-210-0528 On Thu, 10 Nov 2005, Mike Owen wrote:
While going through logs, and looking at mail server ident daemon replies that don't fit the RFC-1413 standard, I noticed the following string from a few servers: "220 ..:: ?lit?-Cr?w Rulez ::..." Looks to me like this group has been compromising mail servers, and then instead of taking them down, lets them continue running, although with a slight modification. They probably siphon off a copy of all email transiting their servers as well, although without access to any of these servers, I can't tell. Interesting to note, if you send 2 ident requests, the second one comes back as: "220 ..:: ?lit?-Cr?w Rulez ::....530 Not logged in..." This leads me to believe this is the backdoor into these mail servers, after all, if you're trying to hide a backdoor from port scans, or dealing with stringent firewall rules, subverting an existing listening process is a smart way to do it. I have not notified the 0wned sites, mostly because I'm not really sure what to do there. I can't email them, which means I have to attempt to find a contact, and then call them. Then of course, the person I manage to get a hold of needs to understand what I'm trying to say, and I have to hope they don't then try and email someone telling them that they have been compromised, thereby letting the attackers know. I'm curious as to whether anyone else has seen ident replies like this. Thanks, Mike
Current thread:
- Odd identd behavior Mike Owen (Nov 14)
- Re: Odd identd behavior Christopher E. Cramer (Nov 14)
- Re: Odd identd behavior kgp (Nov 14)
- Re: Odd identd behavior Mike Owen (Nov 14)
- <Possible follow-ups>
- Re: Odd identd behavior k levinson (Nov 14)
- Re: Odd identd behavior Steve.Cummings (Nov 14)
- RE: Odd identd behavior Levenglick, Jeff (Nov 14)
- Re: Odd identd behavior Brian Smith-Sweeney (Nov 14)
- RE: Odd identd behavior k levinson (Nov 14)
- RE: Odd identd behavior Andrew Simmons (Nov 14)
- RE: Odd identd behavior Levenglick, Jeff (Nov 15)
- Re: Odd identd behavior Mike Owen (Nov 15)
(Thread continues...)
- Re: Odd identd behavior Christopher E. Cramer (Nov 14)