Security Incidents mailing list archives
Spamming, 'hidden' mail server
From: Damian Gerow <damian () sentex net>
Date: Wed, 8 Oct 2003 19:01:17 -0400
incidents () securityfocus com: I've been debugging a weird spamming problem lately -- customers with almost zero technical knowledge have been spamming, and virus scans have not shown anything yet. Below is a dump of traffic traversing port 3101 of one of our customers connections, which I've been looking at for the past couple of hours. This has moved from firewall-wizards@, which I am Cc:'ing in this. Moderator: I'm not sure exactly how on-topic this is, but I'm also not sure where else to turn at this point. Thus spake Paul Robertson (proberts () patriot net) [08/10/03 18:20]:
Since this has moved far and beyond the scope of the list, I'll refrain from posting anything else.No fair, we wanna know what it was!
Hmmm... I /thought/ it might be a variant of the autoproxy trojan:
<http://www.mail-archive.com/full-disclosure () lists netsys com/msg08569.html>
But this looks remarkably like a remotely-started SMTP daemon, set up as an
open relay. Take a look at this. This doesn't look like a normal 3-way
handshake. Apologies for length:
17:56:07.675864 cashtonic.propagation.net.57871 > cust.dsl2.sentex.ca.32101: S 1826083692:1826083692(0) win 5840
<mss 1460> (DF)
0x0000 4500 002c 9168 4000 2d06 d7b9 42dd d90a E..,.h@.-...B...
0x0010 4007 88bb e20f 7d65 6cd7 d36c 0000 0000 @.....}el..l....
0x0020 6002 16d0 fcf2 0000 0204 05b4 `...........
17:56:07.693071 cust.dsl2.sentex.ca.32101 > cashtonic.propagation.net.57871: S 583475395:583475395(0) ack
1826083693 win 16968 <mss 1414> (DF)
0x0000 4500 002c 03c5 4000 7f06 135d 4007 88bb E..,..@....]@...
0x0010 42dd d90a 7d65 e20f 22c7 20c3 6cd7 d36d B...}e.."...l..m
0x0020 6012 4248 8e0d 0000 0204 0586 92f1 `.BH..........
17:56:07.733811 cashtonic.propagation.net.57871 > cust.dsl2.sentex.ca.32101: . ack 1 win 5840 (DF)
0x0000 4500 0028 9169 4000 2d06 d7bc 42dd d90a E..(.i@.-...B...
0x0010 4007 88bb e20f 7d65 6cd7 d36d 22c7 20c4 @.....}el..m"...
0x0020 5010 16d0 d114 0000 P.......
17:56:07.733828 cashtonic.propagation.net.57871 > cust.dsl2.sentex.ca.32101: F 1:1(0) ack 1 win 5840 (DF)
0x0000 4500 0028 916a 4000 2d06 d7bb 42dd d90a E..(.j@.-...B...
0x0010 4007 88bb e20f 7d65 6cd7 d36d 22c7 20c4 @.....}el..m"...
0x0020 5011 16d0 d113 0000 P.......
17:56:07.752423 cust.dsl2.sentex.ca.32101 > cashtonic.propagation.net.57871: . ack 2 win 16968 (DF)
0x0000 4500 0028 03c6 4000 7f06 1360 4007 88bb E..(..@....`@...
0x0010 42dd d90a 7d65 e20f 22c7 20c4 6cd7 d36e B...}e.."...l..n
0x0020 5010 4248 a59b 0000 0000 1a47 48df P.BH.......GH.
17:56:07.754633 cust.dsl2.sentex.ca.32101 > cashtonic.propagation.net.57871: F 1:1(0) ack 2 win 16968 (DF)
0x0000 4500 0028 03c7 4000 7f06 135f 4007 88bb E..(..@...._@...
0x0010 42dd d90a 7d65 e20f 22c7 20c4 6cd7 d36e B...}e.."...l..n
0x0020 5011 4248 a59a 0000 0000 3820 d9c3 P.BH......8...
17:56:07.791436 cashtonic.propagation.net.57871 > cust.dsl2.sentex.ca.32101: . ack 2 win 5840 (DF)
0x0000 4500 0028 0000 4000 2d06 6926 42dd d90a E..(..@.-.i&B...
0x0010 4007 88bb e20f 7d65 6cd7 d36e 22c7 20c5 @.....}el..n"...
0x0020 5010 16d0 d112 0000 P.......
17:57:36.978125 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: S 1688526831:1688526831(0) win 65535 <mss
1460,nop,nop,sackOK> (DF)
0x0000 4500 0030 c990 4000 7006 417d cfda 671d E..0..@.p.A}..g.
0x0010 4007 88bb 1290 7d65 64a4 dfef 0000 0000 @.....}ed.......
0x0020 7002 ffff aedb 0000 0204 05b4 0101 0402 p...............
17:57:36.994738 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: S 605878698:605878698(0) ack 1688526832 win 16968
<mss 1414,nop,nop,sackOK> (DF)
0x0000 4500 0030 03d0 4000 7f06 f83d 4007 88bb E..0..@....=@...
0x0010 cfda 671d 7d65 1290 241c f9aa 64a4 dff0 ..g.}e..$...d...
0x0020 7012 4248 4ee9 0000 0204 0586 0101 0402 p.BHN...........
17:57:37.060523 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: . ack 1 win 65535 (DF)
0x0000 4500 0028 c9bd 4000 7006 4158 cfda 671d E..(..@.p.AX..g.
0x0010 4007 88bb 1290 7d65 64a4 dff0 241c f9ab @.....}ed...$...
0x0020 5010 ffff bdc7 0000 P.......
17:57:37.060859 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: P 1:4(3) ack 1 win 65535 (DF)
0x0000 4500 002b c9bf 4000 7006 4153 cfda 671d E..+.. () p AS..g.
0x0010 4007 88bb 1290 7d65 64a4 dff0 241c f9ab @.....}ed...$...
0x0020 5018 ffff b8bb 0000 0501 00 P..........
17:57:37.079841 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: P 1:3(2) ack 4 win 16965 (DF)
0x0000 4500 002a 03d1 4000 7f06 f842 4007 88bb E..*..@....B@...
0x0010 cfda 671d 7d65 1290 241c f9ab 64a4 dff3 ..g.}e..$...d...
0x0020 5018 4245 7675 0000 0500 052b e9a1 P.BEvu.....+..
17:57:37.146869 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: P 4:14(10) ack 3 win 65533 (DF)
0x0000 4500 0032 c9fd 4000 7006 410e cfda 671d E..2..@.p.A...g.
0x0010 4007 88bb 1290 7d65 64a4 dff3 241c f9ad @.....}ed...$...
0x0020 5018 fffd af41 0000 0501 0001 0c1c fd39 P....A.........9
0x0030 0019 ..
17:57:37.225916 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: P 3:13(10) ack 14 win 16955 (DF)
0x0000 4500 0032 03d4 4000 7f06 f837 4007 88bb E..2..@....7@...
0x0010 cfda 671d 7d65 1290 241c f9ad 64a4 dffd ..g.}e..$...d...
0x0020 5018 423b a93f 0000 0500 0001 4007 88bb P.B;.?......@...
0x0030 0468 .h
17:57:37.430926 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: . ack 13 win 65523 (DF)
0x0000 4500 0028 cabe 4000 7006 4057 cfda 671d E..(..@.p.@W..g.
0x0010 4007 88bb 1290 7d65 64a4 dffd 241c f9b7 @.....}ed...$...
0x0020 5010 fff3 bdba 0000 P.......
17:57:37.450172 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: P 13:31(18) ack 14 win 16955 (DF)
0x0000 4500 003a 03d6 4000 7f06 f82d 4007 88bb E..:..@....-@...
0x0010 cfda 671d 7d65 1290 241c f9b7 64a4 dffd ..g.}e..$...d...
0x0020 5018 423b d7e7 0000 3232 3020 7365 7276 P.B;....220.serv
0x0030 6572 2075 7020 5831 0d0a er.up.X1..
17:57:37.517854 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: P 14:42(28) ack 31 win 65505 (DF)
0x0000 4500 0044 caea 4000 7006 400f cfda 671d E..D..@.p.@...g.
0x0010 4007 88bb 1290 7d65 64a4 dffd 241c f9c9 @.....}ed...$...
0x0020 5018 ffe1 2a3a 0000 4845 4c4f 20.. .... P...*:..HELO...c
0x0030 .... ..2e 6473 6c32 2e73 656e 7465 782e ust.dsl2.sentex.
0x0040 6361 0d0a ca..
17:57:37.599470 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: P 31:61(30) ack 42 win 16927 (DF)
0x0000 4500 0046 03d8 4000 7f06 f81f 4007 88bb E..F..@.....@...
0x0010 cfda 671d 7d65 1290 241c f9c9 64a4 e019 ..g.}e..$...d...
0x0020 5018 421f 6635 0000 3235 3020 6865 6c6c P.B.f5..250.hell
0x0030 6f20 6d61 696c 2e62 726f 776e 7363 6172 o.mail.brownscar
0x0040 2e63 6f6d 0d0a .com..
17:57:37.665018 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: P 42:76(34) ack 61 win 65475 (DF)
0x0000 4500 004a cb56 4000 7006 3f9d cfda 671d E..J.V@.p.?...g.
0x0010 4007 88bb 1290 7d65 64a4 e019 241c f9e7 @.....}ed...$...
0x0020 5018 ffc3 6332 0000 4d41 494c 2046 524f P...c2..MAIL.FRO
0x0030 4d3a 203c 7433 6666 7176 3879 4074 6c63 M:.<t3ffqv8y@tlc
0x0040 6661 6e2e 636f 6d3e 0d0a fan.com>..
17:57:37.743826 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: P 61:69(8) ack 76 win 16893 (DF)
0x0000 4500 0030 03db 4000 7f06 f832 4007 88bb E..0..@....2@...
0x0010 cfda 671d 7d65 1290 241c f9e7 64a4 e03b ..g.}e..$...d..;
0x0020 5018 41fd 9c68 0000 3235 3020 6f6b 0d0a P.A..h..250.ok..
17:57:37.809762 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: P 76:109(33) ack 69 win 65467 (DF)
0x0000 4500 0049 cbb1 4000 7006 3f43 cfda 671d E..I..@.p.?C..g.
0x0010 4007 88bb 1290 7d65 64a4 e03b 241c f9ef @.....}ed..;$...
0x0020 5018 ffbb 75c0 0000 5243 5054 2054 4f3a P...u...RCPT.TO:
0x0030 203c 6362 6972 6368 4062 726f 776e 7363 .<cbirch@brownsc
0x0040 6172 2e63 6f6d 3e0d 0a ar.com>..
17:57:37.919530 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: P 69:108(39) ack 109 win 16860 (DF)
0x0000 4500 004f 03dd 4000 7f06 f811 4007 88bb E..O..@.....@...
0x0010 cfda 671d 7d65 1290 241c f9ef 64a4 e05c ..g.}e..$...d..\
0x0020 5018 41dc 4f29 0000 3235 3020 6f6b 2069 P.A.O)..250.ok.i
0x0030 7473 2066 6f72 203c 6362 6972 6368 4062 ts.for.<cbirch@b
0x0040 726f 776e 7363 6172 2e63 6f6d 3e0d 0a rownscar.com>..
17:57:37.985600 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: P 109:142(33) ack 108 win 65428 (DF)
0x0000 4500 0049 cc2c 4000 7006 3ec8 cfda 671d E..I.,@.p.>...g.
0x0010 4007 88bb 1290 7d65 64a4 e05c 241c fa16 @.....}ed..\$...
0x0020 5018 ff94 7ba1 0000 5243 5054 2054 4f3a P...{...RCPT.TO:
0x0030 203c 6366 6162 6572 4062 726f 776e 7363 .<cfaber@brownsc
0x0040 6172 2e63 6f6d 3e0d 0a ar.com>..
17:57:38.089586 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: P 108:147(39) ack 142 win 16827 (DF)
0x0000 4500 004f 03df 4000 7f06 f80f 4007 88bb E..O..@.....@...
0x0010 cfda 671d 7d65 1290 241c fa16 64a4 e07d ..g.}e..$...d..}
0x0020 5018 41bb 5504 0000 3235 3020 6f6b 2069 P.A.U...250.ok.i
0x0030 7473 2066 6f72 203c 6366 6162 6572 4062 ts.for.<cfaber@b
0x0040 726f 776e 7363 6172 2e63 6f6d 3e0d 0a rownscar.com>..
17:57:38.155389 207.218.103.29.4752 > cust.dsl2.sentex.ca.32101: P 142:148(6) ack 147 win 65389 (DF)
0x0000 4500 002e cc9b 4000 7006 3e74 cfda 671d E.....@.p.>t..g.
0x0010 4007 88bb 1290 7d65 64a4 e07d 241c fa3d @.....}ed..}$..=
0x0020 5018 ff6d 17a0 0000 4441 5441 0d0a P..m....DATA..
17:57:38.229991 cust.dsl2.sentex.ca.32101 > 207.218.103.29.4752: P 147:188(41) ack 148 win 16821 (DF)
0x0000 4500 0051 03e1 4000 7f06 f80b 4007 88bb E..Q..@.....@...
0x0010 cfda 671d 7d65 1290 241c fa3d 64a4 e083 ..g.}e..$..=d...
0x0020 5018 41b5 a5e7 0000 3335 3420 6f6b 2c20 P.A.....354.ok,.
0x0030 7365 6e64 2069 743b 2065 6e64 2077 6974 send.it;.end.wit
0x0040 6820 3c43 524c 463e 2e3c 4352 4c46 3e0d h.<CRLF>.<CRLF>.
0x0050 0a .
(I've replaced the customer's actual hostname with 'cust.dsl2.sentex.ca',
and '.'ed out the hex.)
Has anyone seen this before? And now, I'm moving this from firewall-wizards
to incidents@. If people on one list wish to remain updated, either
subscribe to the securityfocus mailing list, or follow the archives.
I've done a google search for 'server up X1', with no results. Same for
'cashtonic.propagation.net', but opening it up in a web browser resulted in
a web page consisting solely of 'dfhjgkdfjk'.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
Current thread:
- Spamming, 'hidden' mail server Damian Gerow (Oct 09)
- Re: Spamming, 'hidden' mail server Jeff Bollinger (Oct 09)
- <Possible follow-ups>
- Re: Spamming, 'hidden' mail server Karl Levinson (Oct 10)
- Re: Spamming, 'hidden' mail server Jérôme Tytgat (Oct 10)
- Re: Spamming, 'hidden' mail server Jérôme Tytgat (Oct 10)