Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Odd identd behavior
From: Mike Owen <kyphros () gmail com>
Date: Mon, 14 Nov 2005 16:20:08 -0800
On 11/14/05, Levenglick, Jeff <JLevenglick () fhlbatl com> wrote:

Ok.. It looks like we are all confused.
This is why I said mail:

1) He checked his mail logs for connects that were not rfc correct. He found a few that did not ident correctly. The 
assumption now is that a smtp server or a telnet to port 25 connected to him. (more then likely to see if his server 
was not setup/patched correctly and would send spam)

So, based on that, one would assume that you would connect back to the ip in your log file on port 25 to see who they 
are. I think the problem is he did not say what port he connected on to ident them. Yes, it could be 
ident,netbui,smtp,ftp....ect

2) He did say that he thought there was a backdoor in the mail server. Because he is looking for and said mail 
server, I am assuming he connected on port 25 to them. Someone said nmap..ect to see a hidden port. Why.. assuming 
the above, we know the port and the assumption is an ftp server on port 25. (very strange, but who knows)

Mike,

what port did you connect ot them on?
also...if you connect on 25, what did it ident itself as? (ie: smtp server version or ftp server version)

rather then go through all of that...go to arin.net, do a whois on the ip address you have and if you have the time, 
call them.
I would not run nmap against someone else, you could find yourself in legal trouble.



Just to clarify some of the confusion:

I'm looking at logs on *my* email server, and network packet captures
from *my* network. My email server is sending out ident requests, to
port 113 on the affected destination servers. The replies received,
instead of being in the standard format as dictated by RFC 1413, are
coming back with the "220 ..:: €lit€-Cr€w Rulez ::..." and "530 Not
logged in..." messages. These messages are coming from the destination
servers. As an earlier poster stated, they fit the format of an ftp
transaction, aka RFC 959.

My server is (to my knowledge) acting fine. Most destination servers
return a correctly formatted ident reply when my server contacts them.
I'm only receiving the "220 ..:: €lit€-Cr€w Rulez ::..." messages from
6 (six) distinct IPs.

The comment about the backdoor was idle speculation upon my part about
what these messages signified. After reviewing RFC 959 (ftp), I'm
quite certain they are in fact coming from an ftp daemon listening on
port 113 (ident).

I don't really want to post IPs here to a public mailing list, but
they appear to be scattered through the US/Europe.

I hope this clears things up.

Mike

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]