sending out spam through IRC server ?
From: Bronek Kozicki (brok@rubikon.pl)
Date: 03/02/03
- Previous message: Leonard.Ong@nokia.com: "RE: Possible new backdoor: mspx-smss.exe ?"
- Next in thread: R Andersson: "Re: sending out spam through IRC server ?"
- Reply: R Andersson: "Re: sending out spam through IRC server ?"
- Reply: Bill Lavalette: "RE: sending out spam through IRC server ?"
- Reply: Alex Lambert: "Re: sending out spam through IRC server ?"
- Reply: Bronek Kozicki: "Re: sending out spam through IRC server ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bronek Kozicki" <brok@rubikon.pl> To: <incidents@securityfocus.com> Date: Sun, 2 Mar 2003 13:35:42 +0100
Hi guys
Recently I received some complains on spam apparently sent from one of
my servers (Win2K + SP3 + recent hotfixes). The problem is that:
- this server is firewalled and accepting only HTTP, HTTPS (IIS5) and
IRC (Faerion IRC Daemon) connections
- firewall is not an open proxy
- firewall is not allowing incoming SMTP connections
- firewall is allowing outgoing SMTP connections
- local SMTP is used by CDO components in number of web sites runining
on this server, and well, you could problably stop reading here and tell
me to check SMTP logs and/or search for some "leaky" web form for
sending spam. I did. Actually crawling through SMTP logs and ASP code
was the first thing I did after receiving first complain. I'm 100% sure
that spam was *not* sent using SMTP in IIS5 . I have 2 reasons to
believe so:
1. IIS5 SMTPSVC has to accept message and create suitable "Received:"
header before sending anything out. This might be "mail pickup" or
actual incoming SMTP connections. Complains I have received do not have
such header.
2. SMTP is logging all outgoing communication, and I do not have any
traces in logs that could be connected with this spam. Of course, I have
other traces of outgoing messages, all are verified to be valid and
coming from CDO.
The other thing one could ask me for, would be to check if my IIS was
not compromised. That would fairly difficult even for motivated hacker -
I have very strict security settings (like "hisecweb" plus extra
hardening) on the server, and all recent fixes. I'm also positive that
there's no open proxy on the firewall or running localy on the server.
So here I'm, with spam holding my IP in lowest "Received:" header and no
traces. There are only two things I can think of:
1. some leaky web form NOT using CDO/CDONT to send out messages (and
something else instead)
2. Faerion IRC daemon ver. 1.17.6 . I installed it and configured for
handling only local chat sessions (not connected to any IRC network)
What I'm asking you for, is to tell me if it is possible to use IRC
daemon for sending out spam ? I do not know much about configuring IRC
daemon so there might be some settings that I left default=unsecure .
Any thoughts ?
TIA
B.
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
- Previous message: Leonard.Ong@nokia.com: "RE: Possible new backdoor: mspx-smss.exe ?"
- Next in thread: R Andersson: "Re: sending out spam through IRC server ?"
- Reply: R Andersson: "Re: sending out spam through IRC server ?"
- Reply: Bill Lavalette: "RE: sending out spam through IRC server ?"
- Reply: Alex Lambert: "Re: sending out spam through IRC server ?"
- Reply: Bronek Kozicki: "Re: sending out spam through IRC server ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
