Re: Odd identd behavior

From: Christopher E. Cramer (
Date: 11/14/05

  • Next message: k levinson: "Re: Odd identd behavior"
    Date: Mon, 14 Nov 2005 11:31:20 -0500 (EST)
    To: Mike Owen <>


    This looks like the output from an FTP server. If I had to guess, I would
    say that this looks like someone compromised a machine and installed a
    warez ftp server on the identd port.


    Christopher E. Cramer, Ph.D.
    University Information Technology Security Officer
    Duke University,  Office of Information Technology
    334 Blackwell St., Suite 2106, Durham, NC 27701
    PH: 919-660-7003  FAX: 919-668-2953  CELL: 919-210-0528
    On Thu, 10 Nov 2005, Mike Owen wrote:
    > While going through logs, and looking at mail server ident daemon
    > replies that don't fit the RFC-1413 standard, I noticed the following
    > string from a few servers:
    > "220 ..:: ?lit?-Cr?w Rulez ::..."
    > Looks to me like this group has been compromising mail servers, and
    > then instead of taking them down, lets them continue running, although
    > with a slight modification. They probably siphon off a copy of all
    > email transiting their servers as well, although without access to any
    > of these servers, I can't tell.
    > Interesting to note, if you send 2 ident requests, the second one comes back as:
    > "220 ..:: ?lit?-Cr?w Rulez ::....530 Not logged in..."
    > This leads me to believe this is the backdoor into these mail servers,
    > after all, if you're trying to hide a backdoor from port scans, or
    > dealing with stringent firewall rules, subverting an existing
    > listening process is a smart way to do it.
    > I have not notified the 0wned sites, mostly because I'm not really
    > sure what to do there. I can't email them, which means I have to
    > attempt to find a contact, and then call them. Then of course, the
    > person I manage to get a hold of needs to understand what I'm trying
    > to say, and I have to hope they don't then try and email someone
    > telling them that they have been compromised, thereby letting the
    > attackers know.
    > I'm curious as to whether anyone else has seen ident replies like this.
    > Thanks,
    > Mike

  • Next message: k levinson: "Re: Odd identd behavior"

    Relevant Pages

    • Re: VBScript and Out Put to Excel Worksheet
      ... > Mike wrote: ... >> the output to an existing Excel ... > For ADO search filter to retrieve all servers, ...
    • Re: two copies of xp pro on same computer
      ... "kurttrail" wrote in message ... > Bobby wrote: ... > I can't believe Mike had my reply to him pulled from MS's servers. ...
    • Re: Writing on the wall for microsoft
      ... "Mike CJ" wrote in message ... > repercussions on the servers, ... probably access it via a terminal emulator on the PC. ... Samba can act as a file server to windows or linux. ...
    • Re: Host level firewall
      ... > Thanks Mike for the information. ... to specific SQL servers in a cluster from one of the windows 2003 ... that personal firewall can protect your computer from getting ... >> with viruses and worms that spread over network, but it will not protect ...
    • Re: Upgrade to WINXP Now cant publish?
      ... The best thing to do with all Office programs after an ... Mike wrote: ... contact the webmaster of this servers site. ... On the upgrade and subsequent download of office upgrade ...