Re: Odd identd behavior

From: Christopher E. Cramer (chris.cramer_at_duke.edu)
Date: 11/14/05

  • Next message: k levinson: "Re: Odd identd behavior"
    Date: Mon, 14 Nov 2005 11:31:20 -0500 (EST)
    To: Mike Owen <kyphros@gmail.com>
    
    

    Mike,

    This looks like the output from an FTP server. If I had to guess, I would
    say that this looks like someone compromised a machine and installed a
    warez ftp server on the identd port.

    -c

    --
    Christopher E. Cramer, Ph.D.
    University Information Technology Security Officer
    Duke University,  Office of Information Technology
    334 Blackwell St., Suite 2106, Durham, NC 27701
    PH: 919-660-7003  FAX: 919-668-2953  CELL: 919-210-0528
    On Thu, 10 Nov 2005, Mike Owen wrote:
    > While going through logs, and looking at mail server ident daemon
    > replies that don't fit the RFC-1413 standard, I noticed the following
    > string from a few servers:
    >
    > "220 ..:: ?lit?-Cr?w Rulez ::..."
    >
    > Looks to me like this group has been compromising mail servers, and
    > then instead of taking them down, lets them continue running, although
    > with a slight modification. They probably siphon off a copy of all
    > email transiting their servers as well, although without access to any
    > of these servers, I can't tell.
    >
    > Interesting to note, if you send 2 ident requests, the second one comes back as:
    >
    > "220 ..:: ?lit?-Cr?w Rulez ::....530 Not logged in..."
    >
    > This leads me to believe this is the backdoor into these mail servers,
    > after all, if you're trying to hide a backdoor from port scans, or
    > dealing with stringent firewall rules, subverting an existing
    > listening process is a smart way to do it.
    >
    > I have not notified the 0wned sites, mostly because I'm not really
    > sure what to do there. I can't email them, which means I have to
    > attempt to find a contact, and then call them. Then of course, the
    > person I manage to get a hold of needs to understand what I'm trying
    > to say, and I have to hope they don't then try and email someone
    > telling them that they have been compromised, thereby letting the
    > attackers know.
    >
    > I'm curious as to whether anyone else has seen ident replies like this.
    >
    > Thanks,
    > Mike
    >
    

  • Next message: k levinson: "Re: Odd identd behavior"

    Relevant Pages

    • Re: VBScript and Out Put to Excel Worksheet
      ... > Mike wrote: ... >> the output to an existing Excel ... > For ADO search filter to retrieve all servers, ...
      (microsoft.public.windows.server.scripting)
    • Re: two copies of xp pro on same computer
      ... "kurttrail" wrote in message ... > Bobby wrote: ... > I can't believe Mike had my reply to him pulled from MS's servers. ...
      (microsoft.public.windowsxp.general)
    • Re: Writing on the wall for microsoft
      ... "Mike CJ" wrote in message ... > repercussions on the servers, ... probably access it via a terminal emulator on the PC. ... Samba can act as a file server to windows or linux. ...
      (comp.os.linux.misc)
    • Re: Host level firewall
      ... > Thanks Mike for the information. ... to specific SQL servers in a cluster from one of the windows 2003 ... that personal firewall can protect your computer from getting ... >> with viruses and worms that spread over network, but it will not protect ...
      (microsoft.public.inetserver.iis.security)
    • Re: Upgrade to WINXP Now cant publish?
      ... The best thing to do with all Office programs after an ... Mike wrote: ... contact the webmaster of this servers site. ... On the upgrade and subsequent download of office upgrade ...
      (microsoft.public.frontpage.client)