Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Incidents
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Odd identd behavior

from [kgp] Network Security [Permanent Link]
Subject: Re: Odd identd behavior
Date: Mon, 14 Nov 2005 09:37:00 -0800 
Mike,

220 is the banner message for an ftp server.
If you telnet to it and hit return after recieving the banner message you
should get a 530 if it's a normally configured ftp server (and if it's not
then why'd they leave the 220 on the banner?).

dig or nslookup the site. That should give you a contact name and phone
number although a lot of folks leave that out now. It is probably the
person paying for the site and you'll have to ask to be put in touch with
the actual admins.

Kevin

Quoting "Christopher E. Cramer" <chris.cramer@duke.edu>:



Mike,

This looks like the output from an FTP server.  If I had to guess, I
would
say that this looks like someone compromised a machine and installed a
warez ftp server on the identd port.

-c

--
Christopher E. Cramer, Ph.D.
University Information Technology Security Officer
Duke University,  Office of Information Technology
334 Blackwell St., Suite 2106, Durham, NC 27701
PH: 919-660-7003  FAX: 919-668-2953  CELL: 919-210-0528


On Thu, 10 Nov 2005, Mike Owen wrote:


While going through logs, and looking at mail server ident daemon
replies that don't fit the RFC-1413 standard, I noticed the following
string from a few servers:

"220 ..:: ?lit?-Cr?w Rulez ::..."

Looks to me like this group has been compromising mail servers, and
then instead of taking them down, lets them continue running, although
with a slight modification. They probably siphon off a copy of all
email transiting their servers as well, although without access to any
of these servers, I can't tell.

Interesting to note, if you send 2 ident requests, the second one comes

back as:


"220 ..:: ?lit?-Cr?w Rulez ::....530 Not logged in..."

This leads me to believe this is the backdoor into these mail servers,
after all, if you're trying to hide a backdoor from port scans, or
dealing with stringent firewall rules, subverting an existing
listening process is a smart way to do it.

I have not notified the 0wned sites, mostly because I'm not really
sure what to do there. I can't email them, which means I have to
attempt to find a contact, and then call them. Then of course, the
person I manage to get a hold of needs to understand what I'm trying
to say, and I have to hope they don't then try and email someone
telling them that they have been compromised, thereby letting the
attackers know.

I'm curious as to whether anyone else has seen ident replies like this.

Thanks,
Mike
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Odd identd behavior, k levinson
Next by Date:  Re: Odd identd behavior, Steve.Cummings
Previous by Thread:  Re: Odd identd behavior, Christopher E. Cramer
Next by Thread:  Re: Odd identd behavior, Mike Owen
Indexes:  [Date] [Thread] [Top] [All Lists]