|
Security Incidents
mailing list archives
Re: Open mail relay surge
From: Christopher Cramer <chris.cramer () duke edu>
Date: 07 Mar 2003 11:30:06 -0500
very interesting. we've run into a couple of cases like this and a few
where the ports differed from what's listed. we finally added the
following rule to the Snort ruleset:
alert tcp $EXTERNAL_NET !25:80 -> $INTERNAL_NET !25:80 (msg:"SMTP
traffic on nonstandard port";content:"RCPT TO"; nocase;)
Basically, we're looking for someone piping in SMTP commands from an
external host to an internal host. We were originally looking for port
!25 to port !25, but had a fair number of false positives due to webmail
servers. We're still getting false positives on NNTP, POP and IMAP
servers, but aren't certain if it's worth opening the port list to
!25:143.
The rule could probably be optimized by the addition of a "depth: 10",
but as far as functionality goes, it seems to work well for us.
-c
--
Christopher E. Cramer, Ph.D.
University Information Technology Security Officer
Duke University, Office of Information Technology
253A North Building, Box 90132, Durham, NC 27708-0291
PH: 919-660-7003 FAX: 919-660-7076 CELL: 919-210-0528
PGP Public Key: http://www.duke.edu/~cramer/cramer.pgp
On Fri, 2003-03-07 at 01:11, Jeff Kell wrote:
(Excuse a slight cross-posting to RESNET-L and Incidents...)
WENDY SHIH wrote:
Yes, we got quite a few of the OpenProxy complaints the past 2 weeks too.
We just saw a computer with MMTask.exe in XP. Most of the time, users
have BigBoss virus, Backdoor-AOT trojan (MPtask.exe) and plus some type of
wingate. We have seen them in Win98, 2000 and XP computers.
Let me relay an edited follow-up I finished yesterday tracking a local
spamming source in our dorms that turned out to be a similar proxy that
matched Dex's description.
After investigating the initial spam reports concerning the dorm spam,
some other issues have come to light. On the RESNET-L list at
<RESNET-L () LISTSERV ND EDU>, Dax <dax () RESNET UCSB EDU> wrote:
> Over the past 7 days, I've seen a tremendous surge in spam complaints
> coming from my domain. After seeing about 10 or so in the course of
> one week, I knew it had to be something of an epidemic. After
> handfuls of my RCCs came up blank, I finally examined one machine
> myself, and after a bit of diagnosis, was able to determine that
> WinGate proxie was the culprit - or rather, a hacked backdoor/Trojan
> of Wingate, similar to this example:
>
> http://www.megasecurity.org/Tools/Wingate3.09.html
>
> This is a semi-nasty one, and it opens up a web, ftp, and mail server
> on the r00ted machine. What makes it difficult to locate (at least on
> a Win9.x/ME box is that it disguises itself as MMTask.exe). There
> were several other files (a couple .dlls and one more named
> mptask.exe, or something like it. Since XP shouldn't have mmtask,
> it's pretty obvious if an XP machine has become compromised. Of
> course, the user I checked out had no idea what it was, how it got
> there, or what in tarnation I was babbling on about. We're working on
> developing an IDS signature, but don't have much yet. Another very
> clear-cut indicator is nmap results that return this:
>
> 1180/tcp open unknown 1181/tcp open unknown 1182/tcp open unknown
> 1183/tcp open unknown 1184/tcp open unknown 1185/tcp open unknown
I ran a scan on the logs for March 2-4 against the internal IP searching
for inbounds on 1180-1185. Presto, almost like clockwork, a match, on
1182, each connection followed by one from the infected machine to an
outside SMTP server.
Originally I had counts for outbound TCP connections for this host from
March 2-4. These numbers look like this:
[jeff () netsyslog jeff]$ wc -l johndoe[1-3] # March 4,3,2
38331 johndoe1
23019 johndoe2
5538 johndoe3
66888 total
Next, I looked for proxy connections made to this host over the same
time period. Aggregate counts for all days (I didn't run them
separately) show a higher count:
[jeff () netsyslog jeff]$ wc -l johndoe-proxy
88110 johndoe-proxy
The proxy counts are inflated but for a good reason. I shut down the
network port Tuesday afternoon, the last recorded SMTP open was March 4,
16:04:06. The proxy counts are inflated but for a good reason. The
machine(s) connecting to the proxy continued going, and the constant
traffic kept the address translation slot open. It just kept right on
going all night and into Wednesday, finally giving up and releasing the
translation slot at 12:38:34 as shown:
Mar 5 11:39:58 utc-pix %PIX-6-302014: Teardown TCP connection 136320387
for outside:207.44.216.71/44356 to inside:172.28.220.181/1182 duration
0:02:01 bytes 0 SYN Timeout
Mar 5 12:38:02 utc-pix %PIX-6-305010: Teardown dynamic translation from
inside:172.28.220.181 to outside:aaa.bbb.ccc.ddd duration 67:30:25
(That outside source address is not obfuscated :-) )
And the damage inflicted? Another scan looking for connections opened
to an SMTP port from the inside source that were closed by graceful TCP
FINs:
[jeff () netsyslog jeff]$ wc -l johndoe-damage
14929 johndoe-damage
Almost 15000 spams delivered, to who knows how many actual recipients.
It could have been much worse if we had the bandwidth to spare, and the
dorms weren't already squelched by a PacketShaper.
Still haven't isolated the method of infection or the actual proxy
installed, I shutdown the port and notified student affairs. If
anything comes up in forensics, I'll follow-up.
Jeff
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
Attachment:
signature.asc
Description: This is a digitally signed message part
 By Date 
By Thread
Current thread:
|
Intro
