RE: Odd identd behavior

["Levenglick, Jeff" <JLevenglick () fhlbatl com>]

Ok.... It's a good thing we all read his message...

He said mail server logs....

220 is a valid MAIL server response.  
see http://www.rfc-editor.org/rfc/rfc793.txt   220 <domain> Service
ready

Where did ftp come from?

Now.. Why does it say: 220 ..:: ?lit?-Cr?w Rulez ::....530 Not logged
in...

Because that is what they put as the ident of the mail server-  ..::
?lit?-Cr?w Rulez ::....530 Not logged in...

My quick quess is that  ..:: when sent to a daemon could overflow or
maybe do something it is not supposed to. (ie: a parse bug)
Or the mail server was hacked and they replaced the ident of the box
with their name. 
OR the host was hacked and the host name was changed. Assuming a Unix
box, did you check your host name?    hostname   or uname -a

-----Original Message-----
From: kgp () nethere com [mailto:kgp () nethere com] 
Sent: Monday, November 14, 2005 12:37 PM
To: Mike Owen
Cc: Christopher E. Cramer; incidents () securityfocus com
Subject: Re: Odd identd behavior

Mike,

220 is the banner message for an ftp server.
If you telnet to it and hit return after recieving the banner message
you should get a 530 if it's a normally configured ftp server (and if
it's not then why'd they leave the 220 on the banner?).

dig or nslookup the site. That should give you a contact name and phone
number although a lot of folks leave that out now. It is probably the
person paying for the site and you'll have to ask to be put in touch
with the actual admins.

Kevin

Quoting "Christopher E. Cramer" <chris.cramer () duke edu>:

> Mike,
>
> This looks like the output from an FTP server.  If I had to guess, I 
> would say that this looks like someone compromised a machine and 
> installed a warez ftp server on the identd port.
>
> -c
>
> --
> Christopher E. Cramer, Ph.D.
> University Information Technology Security Officer Duke University,  
> Office of Information Technology
> 334 Blackwell St., Suite 2106, Durham, NC 27701
> PH: 919-660-7003  FAX: 919-668-2953  CELL: 919-210-0528
>
>
> On Thu, 10 Nov 2005, Mike Owen wrote:
>
> > While going through logs, and looking at mail server ident daemon 
> > replies that don't fit the RFC-1413 standard, I noticed the 
> > following string from a few servers:
> >
> > "220 ..:: ?lit?-Cr?w Rulez ::..."
> >
> > Looks to me like this group has been compromising mail servers, and 
> > then instead of taking them down, lets them continue running, 
> > although with a slight modification. They probably siphon off a copy

> > of all email transiting their servers as well, although without 
> > access to any of these servers, I can't tell.
> >
> > Interesting to note, if you send 2 ident requests, the second one 
> > comes
> back as:
> > "220 ..:: ?lit?-Cr?w Rulez ::....530 Not logged in..."
> >
> > This leads me to believe this is the backdoor into these mail 
> > servers, after all, if you're trying to hide a backdoor from port 
> > scans, or dealing with stringent firewall rules, subverting an 
> > existing listening process is a smart way to do it.
> >
> > I have not notified the 0wned sites, mostly because I'm not really 
> > sure what to do there. I can't email them, which means I have to 
> > attempt to find a contact, and then call them. Then of course, the 
> > person I manage to get a hold of needs to understand what I'm trying

> > to say, and I have to hope they don't then try and email someone 
> > telling them that they have been compromised, thereby letting the 
> > attackers know.
> >
> > I'm curious as to whether anyone else has seen ident replies like
this.
> > Thanks,
> > Mike





-----------------------------------------
This e-mail message is private and may contain confidential or
privileged information.