SMTP server (How can I find out the real source of an attack)

From: MrG (p2mask2_xtiat_private)
Date: Thu Jul 12 2001 - 15:53:36 PDT

  • Next message: Tyrannis Von Nettesheim: "Security Event / Customer Reporting"

    1.I have a SMTP server (behind my FW) who constantly
    (>7 times per second) is trying to establish a TCP=25
    session to a host on the internet which is not a SMTP
    server (Host_A).
    2.Host_A administrator let me know about this
    behavior.
    3.Host_A administrator implement a filter to reject
    packets form my SMTP server
    4.I verified on my FW this type of activity
    5.With an sniffer between my FW internal card and my
    SMTP server I verified that constantly (at least 7
    times per second) there is traffic between my SMTP
    server and Host_A.     Always 9 frames, same size,
    same number of bytes (the set up of the connection +
    the reject from Host_A + the quit command from my SMTP
    server)
    6.I disconnect from the network my SMTP server
    
    I know that my SMTP server  has been compromise but
    how can I find out exactly the root of the problem. I
    really would like to know how I have been attack.
    
    Can someone give me a hint how to start looking at. I
    already look at several sites trying to find this but
    so far I haven't got any luck 
    
    All feed back is appreciate. Thanks in advance
    
    __________________________________________________
    Do You Yahoo!?
    Get personalized email addresses from Yahoo! Mail
    http://personal.mail.yahoo.com/
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 17:41:31 PDT