Security Basics mailing list archives

RE: Need your help!!!

From: chang zhu <cyz2000 () yahoo com>
Date: Tue, 23 Sep 2003 07:47:11 -0700 (PDT)

Thank you for all replies I received.

When I use fport, the dell manager client are running
ports 6001-6005.
CmdSrvr ->  6005  TCP   C:\Program
Files\Dell\OpenManage\Drac\client\CmdSrvr.exe

It looks like it's reverse NDR attack.

Thanks so much,

Chang

<chris.meidinger () badenit de> wrote:

use either fport or netstat -ano to find out what
processes are listening on
all those ports, and send it to the list please. I
cannot imagine that that
many ports are open for what you are running. my gut
feeling is that you are
compromised. 

So please send output of fport (from foundstone.com)
so you can see what
processes have those ports open, and start checking
the binaries that own
those ports against the hash sums of known good
binaries.

-----Original Message-----
From: Birl [mailto:sbirl () temple edu] 
Sent: Monday, September 22, 2003 6:54 PM
To: security-basics () securityfocus com
Subject: Re: Need your help!!!


As it was written on Sep 20, thus chang zhu typed:

Chang:  Date: Sat, 20 Sep 2003 08:19:39 -0700 (PDT)
Chang:  From: chang zhu <cyz2000 () yahoo com>
Chang:
Chang:  Hi, all
Chang:
Chang:  Some people connect to my exchange 2000
server every
Chang:  day and sent all spams out.  When I go to
current
Chang:  sessions under SMTP protols and default SMTP
virtual
Chang:  server from exchange system manager, I can
see these
Chang:  people's connections and IP address (no
domain name
Chang:  shown up and only fake name and IP shows). 
I do not
Chang:  know how to block them.


Ummm ... a firewall?


Chang:  This is exchange 2000 server
Chang:  with SP3 and behind PIX firewall.  We only
open port
Chang:  25, 443 and 80 for this exch 2k server on
PIX. MX
Chang:  reocrd points to this server. If I use NMAP
Chang:  to scan this box internally, here are ports
open:
Chang:
Chang:
Chang:  25/tcp     open        smtp
Chang:  80/tcp     open        http
Chang:  110/tcp    open        pop-3
Chang:  119/tcp    open        nntp
Chang:  135/tcp    open        loc-srv
Chang:  139/tcp    open        netbios-ssn
Chang:  143/tcp    open        imap2
Chang:  443/tcp    open        https
Chang:  445/tcp    open        microsoft-ds
Chang:  563/tcp    open        snews
Chang:  593/tcp    open        http-rpc-epmap
Chang:  691/tcp    open        resvc
Chang:  993/tcp    open        imaps
Chang:  995/tcp    open        pop3s
Chang:  3372/tcp   open        msdtc
Chang:  3389/tcp   open        ms-term-serv
Chang:  6000/tcp   open        X11
Chang:  6001/tcp   open        X11:1
Chang:  6003/tcp   open        X11:3
Chang:  6005/tcp   open        X11:5
Chang:  7001/tcp   open        afs3-callback
Chang:  8081/tcp   open        blackice-icecap
Chang:
Chang:  x11?


X11 is X-windows.  More-or-less windows for a UNIX
machine.
But since you're running Windoze, Im not sure what's
listening on TCP
600[0-1,3,5]

Recommend you get nmap 3.45 and run it with the
newly added -sV flag to see
what's listening.  Moreover, you should download
TCPView and leave it
running.



(and you should make sure that your lines below dont
word-wrap)

Chang:  When I do netstat -na, the followings shown
on the part of result;
Chang:
Chang:  TCP    127.0.0.1:25          
127.0.0.1:54441        TIME_WAIT
Chang:  TCP    127.0.0.1:25          
127.0.0.1:54898        TIME_WAIT
Chang:  TCP    127.0.0.1:25          
127.0.0.1:54904        TIME_WAIT
Chang:  TCP    127.0.0.1:25          
127.0.0.1:54914        TIME_WAIT
Chang:  TCP    127.0.0.1:25          
127.0.0.1:54916        TIME_WAIT
Chang:  TCP    127.0.0.1:25          
127.0.0.1:54988        TIME_WAIT
Chang:  TCP    127.0.0.2:25          
127.0.0.2:54433        TIME_WAIT
Chang:  TCP    127.0.0.2:25          
127.0.0.2:54434        TIME_WAIT
Chang:  TCP    127.0.0.2:25          
127.0.0.2:54442        TIME_WAIT
Chang:  TCP    127.0.0.2:25          
127.0.0.2:54443        TIME_WAIT
Chang:  TCP    127.0.0.2:25          
127.0.0.2:54444        TIME_WAIT
Chang:  TCP    127.0.0.2:25          
127.0.0.2:54445        TIME_WAIT
Chang:  TCP    127.0.0.2:25          
127.0.0.2:54446        TIME_WAIT
Chang:  TCP    127.0.0.2:25          
127.0.0.2:54454        TIME_WAIT
Chang:  TCP    127.0.0.2:25          
127.0.0.2:54890        TIME_WAIT
Chang:  TCP    127.0.0.2:25          
127.0.0.2:54893        TIME_WAIT
Chang:  TCP    127.0.0.2:25          
127.0.0.2:54903        TIME_WAIT
Chang:  TCP    127.0.0.2:25          
127.0.0.2:54911        TIME_WAIT
Chang:  TCP    127.0.0.2:25          
127.0.0.2:54913        TIME_WAIT
Chang:  TCP    127.0.0.2:25          
127.0.0.2:54915        TIME_WAIT
Chang:  TCP    127.0.0.2:25          
127.0.0.2:54917        TIME_WAIT
Chang:  TCP    127.0.0.2:25          
127.0.0.2:54918        TIME_WAIT
Chang:  TCP    127.0.0.2:25          
127.0.0.2:54919        TIME_WAIT
Chang:  TCP    127.0.0.100:25        
127.0.0.100:54905      TIME_WAIT
Chang:  TCP    127.0.0.100:25        
127.0.0.100:54912      TIME_WAIT
Chang:  TCP    127.0.1.50:25         
127.0.1.50:54456       TIME_WAIT
Chang:
Chang:  THis server is not an open relay server and
how
Chang:  spammers can connect this server to send all
spams out
Chang:  from different domain address?
Chang:
Chang:  Due to limited experience, I am not able to
tackle it
Chang:  down.  Many anti-spam company put our sever
on their
Chang:  lists.  I ask them to send me report that
indicated
Chang:  all spams truly went out through my server
from mail
Chang:  header info.
Chang:
Chang:  I need to resolve this ASAP and any
suggestion or
Chang:  solutions will be greatly appreciated.
Chang:
Chang:
Chang:  Thanks for all your attention and help,


These are all internal IPs.  Do you know if these
IPs are actually in use,
or do you think they are forged?  I see you
mentioned "... fake name and IP
..." but I do not see any "fake" names



Thanks

 Scott Birl                             
http://concept.temple.edu/sysadmin/
 Senior Systems Administrator            Computer
Services   Temple
University

====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*=

===*

---------------------------------------------------------------------------

----------------------------------------------------------------------------
=== message truncated ===


__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Need your help!!! chang zhu (Sep 22)
- Re: Need your help!!! Birl (Sep 22)
  - RES: Need your help!!! Pastinha (Sep 23)
- <Possible follow-ups>
- RE: Need your help!!! Tenorio, Leandro (Sep 22)
  - RE: Need your help!!! Dade McHugh (Sep 23)
    - RE: Need your help!!! chang zhu (Sep 23)
  - RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! chang zhu (Sep 22)
- RE: Need your help!!! Meidinger Chris (Sep 23)
  - RE: Need your help!!! chang zhu (Sep 23)
- RE: Need your help!!! Virgil Cui (Sep 23)