Mike,
This looks like the output from an FTP server. If I had to guess, I would
say that this looks like someone compromised a machine and installed a
warez ftp server on the identd port.
-c
--
Christopher E. Cramer, Ph.D.
University Information Technology Security Officer
Duke University, Office of Information Technology
334 Blackwell St., Suite 2106, Durham, NC 27701
PH: 919-660-7003 FAX: 919-668-2953 CELL: 919-210-0528
On Thu, 10 Nov 2005, Mike Owen wrote:
> While going through logs, and looking at mail server ident daemon
> replies that don't fit the RFC-1413 standard, I noticed the following
> string from a few servers:
>
> "220 ..:: ?lit?-Cr?w Rulez ::..."
>
> Looks to me like this group has been compromising mail servers, and
> then instead of taking them down, lets them continue running, although
> with a slight modification. They probably siphon off a copy of all
> email transiting their servers as well, although without access to any
> of these servers, I can't tell.
>
> Interesting to note, if you send 2 ident requests, the second one comes back as:
>
> "220 ..:: ?lit?-Cr?w Rulez ::....530 Not logged in..."
>
> This leads me to believe this is the backdoor into these mail servers,
> after all, if you're trying to hide a backdoor from port scans, or
> dealing with stringent firewall rules, subverting an existing
> listening process is a smart way to do it.
>
> I have not notified the 0wned sites, mostly because I'm not really
> sure what to do there. I can't email them, which means I have to
> attempt to find a contact, and then call them. Then of course, the
> person I manage to get a hold of needs to understand what I'm trying
> to say, and I have to hope they don't then try and email someone
> telling them that they have been compromised, thereby letting the
> attackers know.
>
> I'm curious as to whether anyone else has seen ident replies like this.
>
> Thanks,
> Mike
>
Received on Nov 14 2005
Intro
