Re: Odd identd behavior

From: Christopher E. Cramer (chris.cramer_at_duke.edu)
Date: 11/14/05

  • Next message: k levinson: "Re: Odd identd behavior" 
    Date: Mon, 14 Nov 2005 11:31:20 -0500 (EST)
To: Mike Owen <kyphros@gmail.com>

    Mike,

    This looks like the output from an FTP server. If I had to guess, I would
    say that this looks like someone compromised a machine and installed a
    warez ftp server on the identd port.

    -c 

    --
Christopher E. Cramer, Ph.D.
University Information Technology Security Officer
Duke University,  Office of Information Technology
334 Blackwell St., Suite 2106, Durham, NC 27701
PH: 919-660-7003  FAX: 919-668-2953  CELL: 919-210-0528
On Thu, 10 Nov 2005, Mike Owen wrote:
> While going through logs, and looking at mail server ident daemon
> replies that don't fit the RFC-1413 standard, I noticed the following
> string from a few servers:
>
> "220 ..:: ?lit?-Cr?w Rulez ::..."
>
> Looks to me like this group has been compromising mail servers, and
> then instead of taking them down, lets them continue running, although
> with a slight modification. They probably siphon off a copy of all
> email transiting their servers as well, although without access to any
> of these servers, I can't tell.
>
> Interesting to note, if you send 2 ident requests, the second one comes back as:
>
> "220 ..:: ?lit?-Cr?w Rulez ::....530 Not logged in..."
>
> This leads me to believe this is the backdoor into these mail servers,
> after all, if you're trying to hide a backdoor from port scans, or
> dealing with stringent firewall rules, subverting an existing
> listening process is a smart way to do it.
>
> I have not notified the 0wned sites, mostly because I'm not really
> sure what to do there. I can't email them, which means I have to
> attempt to find a contact, and then call them. Then of course, the
> person I manage to get a hold of needs to understand what I'm trying
> to say, and I have to hope they don't then try and email someone
> telling them that they have been compromised, thereby letting the
> attackers know.
>
> I'm curious as to whether anyone else has seen ident replies like this.
>
> Thanks,
> Mike
>
  • Next message: k levinson: "Re: Odd identd behavior"

    Relevant Pages

    • Re: VBScript and Out Put to Excel Worksheet
      ... > Mike wrote: ... >> the output to an existing Excel ... > For ADO search filter to retrieve all servers, ...
      (microsoft.public.windows.server.scripting)
    • Re: two copies of xp pro on same computer
      ... "kurttrail" wrote in message ... > Bobby wrote: ... > I can't believe Mike had my reply to him pulled from MS's servers. ...
      (microsoft.public.windowsxp.general)
    • Re: Writing on the wall for microsoft
      ... "Mike CJ" wrote in message ... > repercussions on the servers, ... probably access it via a terminal emulator on the PC. ... Samba can act as a file server to windows or linux. ...
      (comp.os.linux.misc)
    • Re: Host level firewall
      ... > Thanks Mike for the information. ... to specific SQL servers in a cluster from one of the windows 2003 ... that personal firewall can protect your computer from getting ... >> with viruses and worms that spread over network, but it will not protect ...
      (microsoft.public.inetserver.iis.security)
    • Re: Upgrade to WINXP Now cant publish?
      ... The best thing to do with all Office programs after an ... Mike wrote: ... contact the webmaster of this servers site. ... On the upgrade and subsequent download of office upgrade ...
      (microsoft.public.frontpage.client)