Security Incidents mailing list archives

Re: Spamming, 'hidden' mail server

From: Karl Levinson <levinson_k () despammed com>
Date: 10 Oct 2003 11:54:45 -0000

In-Reply-To: <20031008230117.GT92397 () sentex net>

It seems to me that analyzing the network traffic to guess what this might be is optional, whereas capturing, analyzing 
and removing the executable from the machines is mandatory.  So that's the direction I'd want to go in first.  Assuming 
that these are Windows machines and you aren't concerned about preserving evidence, the things recommended in the 
previous day's thread titled "strange windows behaviour" should still be helpful here, some of which are summarized 
here:

using something like ActivePorts or Foundstone's Fport to determine which executable is listening on that port;

a personal firewall if necessary to determine which executable is sending on a given port;

looking at the startup locations and services in the registry, possibly with the help of tools like the MSCONFIG 
command, Startup Cop, etc.

if you can't see the executable on the file system, scanning for hidden NTFS streams using tools like the one from 
Foundstone or the tool mentioned in the other thread;

if you can't see the executable on the file system, consider looking for windows root kits by booting to an alternate 
OS such as boot floppy or slaving the hard drive, or by connecting to the computer from another computer across the 
network using the Client for Microsoft Networks and possibly also running an antivirus scan remotely that way.

Then, if one or more antivirus scanners with the latest updates still don't detect it, you can submit the file to 
antivirus vendors, inspect the executable in your lab, etc.

I've been debugging a weird spamming problem lately -- customers with almost
zero technical knowledge have been spamming, and virus scans have not shown
anything yet.  Below is a dump of traffic traversing port 3101 of one of our
customers connections, which I've been looking at for the past couple of
hours.

But this looks remarkably like a remotely-started SMTP daemon, set up as an
open relay.  Take a look at this.  This doesn't look like a normal 3-way
handshake.  Apologies for length:


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Spamming, 'hidden' mail server Damian Gerow (Oct 09)
- Re: Spamming, 'hidden' mail server Jeff Bollinger (Oct 09)
- <Possible follow-ups>
- Re: Spamming, 'hidden' mail server Karl Levinson (Oct 10)
  - Re: Spamming, 'hidden' mail server Jérôme Tytgat (Oct 10)
  - Re: Spamming, 'hidden' mail server Jérôme Tytgat (Oct 10)