Re: sending out spam through IRC server ?

From: Bronek Kozicki (brok@rubikon.pl)
Date: 03/06/03

  • Next message: Johannes Ullrich: "Re: TCP 445 Scan?"
    From: "Bronek Kozicki" <brok@rubikon.pl>
    To: <incidents@securityfocus.com>
    Date: Thu, 6 Mar 2003 16:39:02 +0100
    
    

    Bronek Kozicki <brok@rubikon.pl> wrote:
    [...]

    OK, problem resolved. Thanks all for help. Things were bit more
    complicated than I was thinking, or rather I missed two important pieces
    of the puzzle.

    First piece is that we are running on the same W2K machine Apache .
    Shame on me, I have not noticed it before, because it was bound to
    different IP than the one reported in spam (you can run both IIS and
    Apache on port 80 of one machine, is you disable IIS ConnectionPooling
    and use different IPs). Anyway this Apache is configured as proxy to
    some other host, using ProxyPass directive. Some of my colleagues also
    configured ProxyRequest On, making this server an open proxy. Bad, bad
    thing, and I was just sure that such stupid mistake cannot happen in my
    network :( Because this Apache is bound to different IP, I just missed
    it when searching for possible hole. Well, IP accepting connections does
    not have to be the same as IP of outgoing connections, and when you add
    static NAT and PAT to the picture then it's easy to miss something (this
    is the other piece).

    Spammers "enjoyed" it for 2 weeks, and I will be forever gratefull to
    spamcop.net and anonymous spam recipients, who notified me about the
    problem. Interesting thing is, that this server was an open proxy for
    much longer time than 2 weeks, and suddenly many spammers became aware
    of it on Feb 18th. I guess some "spam software seller" scanned it and
    inserted into database. If anybody is interested, I can disclose more
    details (like IPs of spammers who abused my server).

    What helped me was network scanner - I logged TCP connections directed
    to port 25 of the outside world servers (like legitimate SMTP traffic),
    then found out that some requests had HTTP headers before "HELO"
    command.

    B.

    ----------------------------------------------------------------------------

    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>


  • Next message: Johannes Ullrich: "Re: TCP 445 Scan?"