Security Incidents mailing list archives
Cable modem hosts being exploited to spam. TCP ports 224, 253
From: ahigbee () VA RR COM (Aaron Higbee)
Date: Fri, 7 Jan 2000 17:09:39 -0500
Hello all- The question is: Does anyone know anything about ports 224 and 253 (TCP) and how could they be used for spamming. I have telneted to the ports and tried to get some feedback. Nothing. Any ideas? --Aaron History: tower.earthlink.net spammer (being referred to tower.earthlink.net spammer because that is the one common forgery in all the spams) is somehow connecting to cable modem hosts to send spam to AOL members. Here is a list of IP's that have been reported to us that have been victimized by this spammer. The only theory I have is that because these hosts have wide open file print sharing that they are given a program that opens up the ports. In working with infected members (people with wide open File sharing tend to be hard to work with when trouble shooting this) We have not been able to find any odd programs running. (Nor have we had success closing ports 224, 253) The format is Date, RR-Region, IP address, Wide open file/print sharing (Y/N) - open ports. 11/18/99 TW - Midsouth 24.95.102.x Y - 139, 224, 253, 7323 11/20/99 TW - Midsouth 24.92.76.x Y - 139, 224, 253, 7323 11/21/99 TW - Midsouth 24.92.76.x Y - 139, 224, 253, 7323 12/6/99 TW - Midsouth 24.95.102.x Y - 224, 253, 1503, 1720, 2292, 7323 12/9/99 TW - Tampa Bay 24.92.20.x Y - 21, 80, 139, 224, 253 12/9/99 TW - Tampa Bay 24.92.30.x Y - 139, 224, 253, 1080, 7000, 8000 12/9/99 TW - Tampa Bay 24.92.180.x Y - 139, 224, 253 12/9/99 TW - Midsouth 24.95.103.x Y - 139, 224, 253 12/9/99 TW - Midsouth 24.92.75.x Y - 139, 224, 253 12/9/99 TW - Central NY 24.24.4.x Y - 25, 139, 224, 253 12/12/99 TW - Tampa Bay 24.92.31.x Y - 80, 139, 224, 253, 5631 12/12/99 TW - Tampa Bay 24.92.20.x Y - 21, 80, 139, 224, 253 12/13/99 TW - Tampa Bay 24.92.31.x Y - 80, 139, 224, 253, 5631 12/15/99 TW - Tampa Bay 24.92.180.x Y - 139, 224, 253 12/16/99 TW - Tampa Bay 24.92.31.x Y - 80, 139, 224, 253, 5631 12/16/99 TW - Tampa Bay 24.92.30.x Y - 139, 253, 1080 12/19/99 TW - Tampa Bay 24.92.30.x Y - 139, 224, 253, 1080 12/21/99 TW - Midsouth 24.95.103.x Y - 139, 224, 253 12/30/99 TW - Midsouth 24.92.75.x Y - 139, 224, 253 1/7/00 TW - Tampa Bay *24.92.20.162* Y - 80, 139, 224, 253 **not munged for any testing a reader of this list may want to do. This is not just happening to Road Runner either: I grabbed the IP (209.51.163.221) out of this deja post about the same spammer: http://x32.deja.com/getdoc.xp?AN=565959998.1&CONTEXT=947280562.325582883&hit num=2 Sure enough: /root]# nmap -sT -p220-260 209.51.163.221 Interesting ports on digital.trancenet.com (209.51.163.221): Port State Protocol Service 224 open tcp unknown 253 open tcp unknown The below is a netstat -a from one of the "compromised" box's during a live spamming. Infected members have been sent current virus scanners and MooSofts Trojan cleaner. Nothing was found. You'll notice a TCP connection on 224 from a nwlink.com DSL ip. (we do not want any action taken on this IP until we can find out exactly what he is doing so that we may potentially pursue criminal prosecution of this spammer if he is indeed breaking into systems) TCP socorro:1944 rly-za03.mx.aol.com:smtp ESTABLISHED TCP socorro:1945 rly-za03.mx.aol.com:smtp ESTABLISHED TCP socorro:1946 rly-za03.mx.aol.com:smtp ESTABLISHED TCP socorro:1947 rly-za03.mx.aol.com:smtp ESTABLISHED TCP socorro:1948 rly-za03.mx.aol.com:smtp ESTABLISHED TCP socorro:1949 rly-za03.mx.aol.com:smtp ESTABLISHED TCP socorro:1950 rly-za03.mx.aol.com:smtp ESTABLISHED TCP socorro:1951 rly-za03.mx.aol.com:smtp ESTABLISHED TCP socorro:1952 rly-za03.mx.aol.com:smtp ESTABLISHED TCP socorro:1953 rly-za03.mx.aol.com:smtp ESTABLISHED TCP socorro:224 xxx.xxxx.xxx.bel.nwlink.com:1569 ESTABLISHED Working with another infected member showed the same nwlink.com IP address in a netstat. A router filter was put up to log connections from that IP. Here is a snip of the captured logs showing the nwlink IP connecting to port 224: (2 pings as well) 75xx.log:Dec 23 12:27:56 [24.92.1.251.10.133] 172: Dec 23 17:27:55 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1875) -> 24.92.180.101(224), 1 packet 75xx.log:Dec 23 12:27:58 [24.92.1.251.10.133] 173: Dec 23 17:27:57 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1876) -> 24.92.30.182(224), 1 packet 75xx.log:Dec 23 12:33:25 [24.92.1.251.10.133] 174: Dec 23 17:33:23 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1876) -> 24.92.30.182(224), 2 packets 75xx.log:Dec 23 12:54:28 [24.92.1.251.10.133] 175: Dec 23 17:54:27 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(2902) -> 24.129.14.3(80), 1 packet 75xx.log:Dec 23 12:54:37 [24.92.1.251.10.133] 176: Dec 23 17:54:36 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(2925) -> 24.129.14.3(80), 1 packet 75xx.log:Dec 26 18:37:30 [24.92.1.251.10.133] 177: Dec 26 23:37:29 UTC: %SEC-6-IPACCESSLOGDP: list 103 permitted icmp 209.20.176.xxx -> 24.92.30.182 (0/0), 1 packet 75xx.log:Dec 26 18:43:05 [24.92.1.251.10.133] 178: Dec 26 23:43:04 UTC: %SEC-6-IPACCESSLOGDP: list 103 permitted icmp 209.20.176.xxx -> 24.92.30.182 (0/0), 3 packets 75xx.log:Dec 27 05:41:44 [24.92.1.251.10.133] 179: Dec 27 10:41:43 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1416) -> 24.92.10.134(224), 1 packet 75xx.log:Dec 27 05:41:46 [24.92.1.251.10.133] 180: Dec 27 10:41:45 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1418) -> 24.92.180.107(224), 1 packet 75xx.log:Dec 27 05:45:38 [24.92.1.251.10.133] 181: Dec 27 10:45:37 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1439) -> 24.92.10.134(224), 1 packet 75xx.log:Dec 27 05:45:40 [24.92.1.251.10.133] 182: Dec 27 10:45:39 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1440) -> 24.92.10.28(224), 1 packet 75xx.log:Dec 27 05:45:42 [24.92.1.251.10.133] 183: Dec 27 10:45:41 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1442) -> 24.92.20.162(224), 1 packet 75xx.log:Dec 27 05:47:25 [24.92.1.251.10.133] 184: Dec 27 10:47:24 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1416) -> 24.92.10.134(224), 3 packets 75xx.log:Dec 27 05:48:04 [24.92.1.251.10.133] 185: Dec 27 10:48:03 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1455) -> 24.92.180.107(224), 1 packet 75xx.log:Dec 27 05:49:43 [24.92.1.251.10.133] 186: Dec 27 10:49:42 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1460) -> 24.92.180.107(224), 1 packet 75xx.log:Dec 27 05:49:44 [24.92.1.251.10.133] 187: Dec 27 10:49:43 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1461) -> 24.92.20.162(224), 1 packet 75xx.log:Dec 27 05:50:44 [24.92.1.251.10.133] 188: Dec 27 10:50:42 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1474) -> 24.92.180.107(224), 1 packet 75xx.log:Dec 27 05:50:45 [24.92.1.251.10.133] 189: Dec 27 10:50:44 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1475) -> 24.92.20.162(224), 1 packet 75xx.log:Dec 27 05:51:25 [24.92.1.251.10.133] 190: Dec 27 10:51:24 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1439) -> 24.92.10.134(224), 3 packets 75xx.log:Dec 27 06:02:01 [24.92.1.251.10.133] 191: Dec 27 11:02:00 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1489) -> 24.92.180.107(224), 1 packet 75xx.log:Dec 27 06:03:34 [24.92.1.251.10.133] 192: Dec 27 11:03:33 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1503) -> 24.92.180.107(224), 1 packet 75xx.log:Dec 27 06:05:01 [24.92.1.251.10.133] 193: Dec 27 11:05:00 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1517) -> 24.92.180.107(224), 1 packet 75xx.log:Dec 27 06:05:02 [24.92.1.251.10.133] 194: Dec 27 11:05:01 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1518) -> 24.92.20.162(224), 1 packet 75xx.log:Dec 27 06:06:04 [24.92.1.251.10.133] 195: Dec 27 11:06:03 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1530) -> 24.92.180.107(224), 1 packet 75xx.log:Dec 27 06:06:06 [24.92.1.251.10.133] 196: Dec 27 11:06:05 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1531) -> 24.92.20.162(224), 1 packet 75xx.log:Dec 27 06:07:11 [24.92.1.251.10.133] 197: Dec 27 11:07:10 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1543) -> 24.92.180.107(224), 1 packet 75xx.log:Dec 27 06:07:12 [24.92.1.251.10.133] 198: Dec 27 11:07:11 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1544) -> 24.92.20.162(224), 1 packet 75xx.log:Dec 27 06:08:47 [24.92.1.251.10.133] 199: Dec 27 11:08:46 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1556) -> 24.92.180.107(224), 1 packet 75xx.log:Dec 27 06:10:51 [24.92.1.251.10.133] 200: Dec 27 11:10:49 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1569) -> 24.92.180.107(224), 1 packet 75xx.log:Dec 27 06:10:51 [24.92.1.251.10.133] 201: Dec 27 11:10:51 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1570) -> 24.92.20.162(224), 1 packet 75xx.log:Dec 27 07:16:23 [24.92.1.251.10.133] 202: Dec 27 12:16:22 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1590) -> 24.92.180.107(224), 1 packet 75xx.log:Dec 27 07:16:25 [24.92.1.251.10.133] 203: Dec 27 12:16:24 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(1591) -> 24.92.20.162(224), 1 packet 75xx.log:Dec 27 08:07:51 [24.92.1.251.10.133] 204: Dec 27 13:07:49 UTC: %SEC-6-IPACCESSLOGP: list 103 permitted tcp 209.20.176.xxx(2162) -> 24.92.180.107(224), 1 packet ---------------------Begin Sample Spam---------------------- Return-Path: <bestautoguys15733 () earthlink net> Received: from rly-za02.mx.aol.com (rly-za02.mail.aol.com [172.31.36.98]) by air-za03.mail.aol.com (v67.7) with ESMTP; Fri, 07 Jan 2000 10:08:25 -0500 Received: from tower.earthlink.net (dt081na2.tampabay.rr.com [24.92.20.162]) by rly-za02.mx.aol.com (v67.7) with ESMTP; Fri, 07 Jan 2000 10:08:11 -0500 Received: from account.58-126-182-153.takondou.jp [58.126.182.153] by tower.earthlink.net (SMTPD32-5.01 EVAL) id A5C4843D1; Fri, 7 Jan 2000 09:29:19 PDT Message-Id: <4.1.20000107846859.880415 () serv011 takondou jp> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Fri, 7 Jan 2000 09:46:36 From: <bestautoguys15733 () earthlink net> Subject: Get that New Car at Dealer Invoice. Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" ##### Offending message including original headers: Subj: Get that New Car at Dealer Invoice. Date: 1/7/2000 10:08:26 AM Eastern Standard Time From: bestautoguys15733 () earthlink net Do you want a new car or truck, but... * don't think you can afford one? * your credit is too bad? * are tired of being taken advantage of by the dealer? * want it at almost factory invoice price? * want the deal to be the best it can be? Or maybe you just want to find out how low you can possibly get the payments on that new car or truck... Then Click Here http://204.4.8.51/users/bestauto/ ---------------------End Sample Spam---------------------- -- Aaron Higbee Security Administrator - Road Runner Security ----------------------------------------- PGP Id: 0x0034DD13 PGP Fingerprint :73F7 B51F 97CC 1A18 40AF 6E91 6573 D9F4 0034 DD13 --
Current thread:
- Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas E. Ruth (Jan 06)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Jeffrey Papen (Jan 07)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas E. Ruth (Jan 07)
- <Possible follow-ups>
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Maniac . (Jan 07)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas E. Ruth (Jan 07)
- Cable modem hosts being exploited to spam. TCP ports 224, 253 Aaron Higbee (Jan 07)
- Probe from NS2.SOHONET.COM Jonathan S. Keim (Jan 08)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Missouri FreeNet Administration (Jan 10)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas Molina (Jan 11)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Andrew Kunz (Jan 11)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas E. Ruth (Jan 07)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Andy David (Jan 10)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Maniac . (Jan 11)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Maniac . (Jan 11)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Al Huger - Mail Account (Jan 14)