Re: Odd identd behavior
From: Christopher E. Cramer (chris.cramer_at_duke.edu)
Date: Mon, 14 Nov 2005 11:31:20 -0500 (EST) To: Mike Owen <firstname.lastname@example.org>
This looks like the output from an FTP server. If I had to guess, I would
say that this looks like someone compromised a machine and installed a
warez ftp server on the identd port.
-- Christopher E. Cramer, Ph.D. University Information Technology Security Officer Duke University, Office of Information Technology 334 Blackwell St., Suite 2106, Durham, NC 27701 PH: 919-660-7003 FAX: 919-668-2953 CELL: 919-210-0528 On Thu, 10 Nov 2005, Mike Owen wrote: > While going through logs, and looking at mail server ident daemon > replies that don't fit the RFC-1413 standard, I noticed the following > string from a few servers: > > "220 ..:: ?lit?-Cr?w Rulez ::..." > > Looks to me like this group has been compromising mail servers, and > then instead of taking them down, lets them continue running, although > with a slight modification. They probably siphon off a copy of all > email transiting their servers as well, although without access to any > of these servers, I can't tell. > > Interesting to note, if you send 2 ident requests, the second one comes back as: > > "220 ..:: ?lit?-Cr?w Rulez ::....530 Not logged in..." > > This leads me to believe this is the backdoor into these mail servers, > after all, if you're trying to hide a backdoor from port scans, or > dealing with stringent firewall rules, subverting an existing > listening process is a smart way to do it. > > I have not notified the 0wned sites, mostly because I'm not really > sure what to do there. I can't email them, which means I have to > attempt to find a contact, and then call them. Then of course, the > person I manage to get a hold of needs to understand what I'm trying > to say, and I have to hope they don't then try and email someone > telling them that they have been compromised, thereby letting the > attackers know. > > I'm curious as to whether anyone else has seen ident replies like this. > > Thanks, > Mike >