-
July 19th, 2007, 05:27 PM
#1
Senior Member
honeyd: smtp & attachments
my server went down caused by power supply.
so i put a CNAME record in to point to my homemachine.
the ISP did his work very quickly and i deleted the CNAME.
it had been there for 10 minutes.
-
i'm running honeyd at my homie supporting port 25 ,too.
-
...now i'm receiving large amount of crap like this
(it looks like that first the port 25 got checked by <b>titan.cvpa.usf.edu</b>
and then a mail was sent from different places containing a pdf file):
<code>
--MARK--,"Thu Jul 19 17:06:39 CEST 2007","exchange/SMTP","131.247.128.35","172.16.1.5",30839,25,
"",
--ENDMARK--
--MARK--,"Thu Jul 19 17:12:10 CEST 2007","exchange/SMTP","200.88.42.111","172.16.1.5",3214,25,
"EHLO 111santiagord12.codetel.net.do
MAIL FROM:<ayman431@q.pollard.net>
RCPT TO:<censored@cen.sored.net> (edited)
DATA
Received: from PC01 ([112.192.159.159] helo=PC01)
by 111santiagord12.codetel.net.do ( sendmail 8.13.3/8.13.1) with esmtpa id 1YHEOz-000VPA-qj
for censored@cen.sored.net ; Thu, 19 Jul 2007 09:51:24 -0400 (edited)
Message-ID: <000f01c7ca0b$d6865f90$6f2a58c8@PC01>
From: "ayman Fegerman" <ayman431@q.pollard.net>
To: censored@cen.sored.net (edited)
Subject: Emailing: Rechenschaft86516.pdf
Date: Thu, 19 Jul 2007 09:50:59 -0400
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_000B_01C7C9EA.4F74BF90"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
------=_NextPart_000_000B_01C7C9EA.4F74BF90
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_000C_01C7C9EA.4F74BF90"
------=_NextPart_001_000C_01C7C9EA.4F74BF90
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
The message is ready to be sent with the following file or link =
attachments:
Rechenschaft86516.pdf
------snap
</code>
can you comprehend this or have you got information about the host at usf.edu ?
google doesn't help.
tnx
pls ask for full logfile.
nachtrag:
may be you would be able to identify by:
<META content=3D"MSHTML 6.00.2900.3132" name=3DGENERATOR>
Last edited by stanger; July 19th, 2007 at 05:45 PM.
Reason: forgot something ;)
Industry Kills Music.
-
July 19th, 2007, 06:52 PM
#2
Senior Member
update:
------=_NextPart_000_0004_01C7CA37.B8851550--
--l6JH6eXb011136.1184864800/luna.vistec.net--
.
--ENDMARK--
lets traceroute it:
traceroute to luna.vistec.net (194.64.40.71), 30 hops max, 38 byte packets
1 gateway (192.168.1.1) 0.497 ms 0.350 ms 0.307 ms
2 217.0.116.177 (217.0.116.177) 39.911 ms 39.564 ms 39.597 ms
3 217.0.74.242 (217.0.74.242) 40.207 ms 39.487 ms 39.634 ms
4 f-eb5.f.de.net.dtag.de (62.154.17.62) 44.564 ms 44.366 ms 45.680 ms
5 62.156.139.226 (62.156.139.226) 196.239 ms 172.021 ms 97.747 ms
6 ge0-1.cr1.ixfra.de.easynet.net (212.224.5.34) 44.047 ms 44.271 ms 43.766 ms
7 194.64.253.22 (194.64.253.22) 46.314 ms 46.369 ms 47.459 ms
8 ns.vistec.net (194.64.40.71) 46.834 ms 46.370 ms 46.229 ms
any idea?
[update]
I received mails from other servers , but it was detected as being spam by them.
100% pdf_spam, 0% image_spam
http://www.securityfocus.com/news/11475?ref=rss
Last edited by stanger; July 20th, 2007 at 06:24 AM.
Reason: updating
Industry Kills Music.
-
July 21st, 2007, 08:13 AM
#3
Titan might be an FTP server:
http://www.freedownloadscenter.com/N...TP_Server.html
College of Visual and Performing Arts University of South Florida.
Which I am afraid doesn't tell you very much
-
August 4th, 2007, 02:48 PM
#4
Senior Member
thx for reply
the interesting things:
i never changed the MX record
the used mailadress contains a subdomain that was created by confixx
the email adress can be found via google
the service got shut down one year ago
MAIL TO: user@sub.domain - missing last letter of username
the attackers then(after succeedin ) used the subdomains name as "FROM:" with different username (simone@sub.domain)
the CNAME record was deleted after 10 minutes but yesterday i got a spammail again (adobe OEM with random textarea)
i'm curious :
would it be possible to use such behaviour as mailworm/spam trap
in my opinion it could work
-
August 4th, 2007, 03:15 PM
#5
So, it looks like we have a dodgy nameserver (German?) this may be of interest: it is listed
http://postmaster.gtcs.com/NameserversAmuk.php
and this:
http://www.robtex.com/dns/vistec.net.html
As for the spam, it is pretty much the same as we ban from this site. "buy v*i*a*g*r*a here" then "meet a beautiful Russian Woman"
As for filtering or trapping, I am no expert, but would have thought that a nameserver shouldn't be sending you e-mails?
-
August 12th, 2007, 07:59 AM
#6
Senior Member
i 'now' solved the MX thing ...
my ISPs domain script creates a new MX record if new CNAME
using 'dig' it was easy to find out
@nihil: thx for the nameserver hint
Last edited by stanger; August 13th, 2007 at 10:27 AM.
Industry Kills Music.
Similar Threads
-
By Soda_Popinsky in forum The Security Tutorials Forum
Replies: 18
Last Post: December 6th, 2005, 10:18 AM
-
By gore in forum Newbie Security Questions
Replies: 11
Last Post: December 29th, 2003, 08:01 AM
-
By s0nIc in forum Microsoft Security Discussions
Replies: 0
Last Post: July 14th, 2002, 04:09 PM
-
By Sp1d3r-W0lf in forum The Security Tutorials Forum
Replies: 0
Last Post: December 27th, 2001, 05:31 PM
-
By iraklis777 in forum Security Archives
Replies: 10
Last Post: October 23rd, 2001, 08:41 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|