Re: Odd identd behavior

From: Brian Smith-Sweeney (tinbox_at_nyct.net)
Date: 11/14/05

  • Next message: Andrew Simmons: "RE: Odd identd behavior"
    Date: Mon, 14 Nov 2005 15:27:48 -0500
    To: "Levenglick, Jeff" <JLevenglick@fhlbatl.com>, incidents@securityfocus.com
    
    

    Everyone I believe did read his message. Yes, he said mailserver logs,
    but that's because the mailservers in question were connecting back to
    the ident port which is fairly standard behavior. What's not standard
    is that they were getting a response back from the service listening on
    the ident port that was not consistent with an ident server. While 220
    as you noted is a valid mailserver response, it's *not* a valid ident
    server response.

    The conclusion of "it looks like an FTP server" is based on the fact
    that many warez kiddies install FTP servers on non-standard ports, and
    that the remainder of the header (..:: ?lit?-Cr?w Rulez ::..) looks like
    a warez banner. The easiest way to verify would be to attempt FTP
    protocol negotiation to the port in question to see what happens, but
    I'm guessing the majority of folks who posted to the list are correct:
    it's FTP.

    Also, if you're going to attempt to correct people by citing RFC's, it's
    best to use the right RFC. =) RFC 793 is TCP; RFC 2821 (and old 821)
    discuss SMTP, which is I assume what you meant to reference.

    My guess is the ::.. stuff is just to look cool, but I suppose it's
    possible it has a dual purpose.

    Cheers,
    Brian
    Levenglick, Jeff wrote:
    > Ok.... It's a good thing we all read his message...
    >
    > He said mail server logs....
    >
    > 220 is a valid MAIL server response.
    > see http://www.rfc-editor.org/rfc/rfc793.txt 220 <domain> Service
    > ready
    >
    > Where did ftp come from?
    >
    > Now.. Why does it say: 220 ..:: ?lit?-Cr?w Rulez ::....530 Not logged
    > in...
    >
    > Because that is what they put as the ident of the mail server- ..::
    > ?lit?-Cr?w Rulez ::....530 Not logged in...
    >
    > My quick quess is that ..:: when sent to a daemon could overflow or
    > maybe do something it is not supposed to. (ie: a parse bug)
    > Or the mail server was hacked and they replaced the ident of the box
    > with their name.
    > OR the host was hacked and the host name was changed. Assuming a Unix
    > box, did you check your host name? hostname or uname -a
    >


  • Next message: Andrew Simmons: "RE: Odd identd behavior"