Re: Odd identd behavior

From: Brian Smith-Sweeney (tinbox_at_nyct.net)
Date: 11/14/05

  • Next message: Andrew Simmons: "RE: Odd identd behavior"
    Date: Mon, 14 Nov 2005 15:27:48 -0500
    To: "Levenglick, Jeff" <JLevenglick@fhlbatl.com>, incidents@securityfocus.com
    
    

    Everyone I believe did read his message. Yes, he said mailserver logs,
    but that's because the mailservers in question were connecting back to
    the ident port which is fairly standard behavior. What's not standard
    is that they were getting a response back from the service listening on
    the ident port that was not consistent with an ident server. While 220
    as you noted is a valid mailserver response, it's *not* a valid ident
    server response.

    The conclusion of "it looks like an FTP server" is based on the fact
    that many warez kiddies install FTP servers on non-standard ports, and
    that the remainder of the header (..:: ?lit?-Cr?w Rulez ::..) looks like
    a warez banner. The easiest way to verify would be to attempt FTP
    protocol negotiation to the port in question to see what happens, but
    I'm guessing the majority of folks who posted to the list are correct:
    it's FTP.

    Also, if you're going to attempt to correct people by citing RFC's, it's
    best to use the right RFC. =) RFC 793 is TCP; RFC 2821 (and old 821)
    discuss SMTP, which is I assume what you meant to reference.

    My guess is the ::.. stuff is just to look cool, but I suppose it's
    possible it has a dual purpose.

    Cheers,
    Brian
    Levenglick, Jeff wrote:
    > Ok.... It's a good thing we all read his message...
    >
    > He said mail server logs....
    >
    > 220 is a valid MAIL server response.
    > see http://www.rfc-editor.org/rfc/rfc793.txt 220 <domain> Service
    > ready
    >
    > Where did ftp come from?
    >
    > Now.. Why does it say: 220 ..:: ?lit?-Cr?w Rulez ::....530 Not logged
    > in...
    >
    > Because that is what they put as the ident of the mail server- ..::
    > ?lit?-Cr?w Rulez ::....530 Not logged in...
    >
    > My quick quess is that ..:: when sent to a daemon could overflow or
    > maybe do something it is not supposed to. (ie: a parse bug)
    > Or the mail server was hacked and they replaced the ident of the box
    > with their name.
    > OR the host was hacked and the host name was changed. Assuming a Unix
    > box, did you check your host name? hostname or uname -a
    >


  • Next message: Andrew Simmons: "RE: Odd identd behavior"

    Relevant Pages

    • RE: Odd identd behavior
      ... Yes, he said mailserver logs, but that's because the mailservers in question were connecting back to the ident port which is fairly standard behavior. ... What's not standard is that they were getting a response back from the service listening on the ident port that was not consistent with an ident server. ... The conclusion of "it looks like an FTP server" is based on the fact that many warez kiddies install FTP servers on non-standard ports, and that the remainder of the header looks like a warez banner. ...
      (Incidents)
    • Re: problem in smtp server
      ... Thank you very much, now my ftp is working, and even the smtp seems to ... > run an ident server, which I'd be pretty certain you don't!) ... > working becuase you're serving active FTP requests (rather than ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Huge delay with ftp
      ... > connecting to a static IP address, ... Many ftp server under linux do an ident request to the client ...
      (comp.os.linux.networking)
    • RE: Odd identd behavior
      ... He said mail server logs.... ... Or the mail server was hacked and they replaced the ident of the box with their name. ... 220 is the banner message for an ftp server. ...
      (Incidents)
    • Re: Identifying NATed machines
      ... You have to trust the ident ... server, and if it's not under trustworthy control, all bets are off. ... the server on your NAT box replies with the encrypted ... This may not be enough - as the complaining party would have to know to ...
      (comp.os.linux.networking)