Metasploit mailing list archives
Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit?
From: Chip <jeffschips () gmail com>
Date: Thu, 04 Aug 2011 21:27:38 -0400
On 8/4/2011 6:04 PM, Nicolas Braud-Santoni wrote:
Thank you for the reminder I was planning on posting here. Thus far this is what I have found:Hi Jeffs, Could you please answer on-line, for us lurkers who might be interested in your findings ? Regards, Nicolas Le Wed, 03 Aug 2011 09:32:30 -0400, Chip<jeffschips () gmail com> a écrit :thanks to all who have responded with extremely valuable information on how to track down this culprit. I will try all the methods suggested and am excited to get started. I will respond off line (unless hearing otherwise from this list) as to the results. jeffs
The culprit that was attempting to contact an email server prior to logging into the Windows XP machine was a binary from a company called Automatic Email Manager which you can find here:
http://www.namtuk.com/auto_email_manager.aspxI did install that but also remember removing it after testing it. It somehow was reactivated and although I don't think it should have privileges to start connecting to an email server before a user logs in, that's exactly what it was doing. I was able to uninstall the program from windows control panel.
In my sniffing of the wire through an in-line tap -- which, by the way I HIGHLY recommend any serious security guru learn how to use and they are easily constructed from about $8 dollars of parts at Radio Shack and you can get instructions on how to build one here http://09-f9-11-02-9d-74-e3-5b-d8-41-56-c5-63-56-88-c0.com/category/electronics/ -- I did discover that Kasperksy AV connects all over the globe to update software including to servers in China and Singapore as well as another unusual activity that the in-line tap was able to show me was that for some reason a Google program on the XP machine keeps connecting to google servers prior to login and I'm still tracking that one down.
Regarding in-line taps: You basically connect this device "in-line" between the device you are sniffing and the router/WAN or whatever. You then connect one cable to your wireshark machine and watch packets fly. It's great to see what's going on under the hood and is extremely helpful in tracking down all sorts of router/device/binary and metasploit service issues because you can see exactly what is happening.
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Chip (Aug 02)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Robin Wood (Aug 02)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Chip (Aug 02)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Robin Wood (Aug 02)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Average SecurityGuy (Aug 02)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Joshua Smith (Aug 02)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Jose Selvi (Aug 03)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Chip (Aug 03)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Nicolas Braud-Santoni (Aug 04)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Chip (Aug 04)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Chip (Aug 02)
- Re: kind of off topic but not much -- Windows XP connects to mail server before logging in MBR exploit? Robin Wood (Aug 02)