RE: SMTP server (How can I find out the real source of an attack)

From: Mike Batchelor (mikebatat_private)
Date: Fri Jul 13 2001 - 10:45:44 PDT

  • Next message: Nick FitzGerald: "Re: Security Event / Customer Reporting"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Whats in the mail queue on your SMTP server?
    
    > -----Original Message-----
    > From: MrG [mailto:p2mask2_xtiat_private]
    > Sent: Thursday, July 12, 2001 3:54 PM
    > To: incidentsat_private
    > Subject: SMTP server (How can I find out the real source of an attack)
    > 
    > 
    > 1.I have a SMTP server (behind my FW) who constantly
    > (>7 times per second) is trying to establish a TCP=25
    > session to a host on the internet which is not a SMTP
    > server (Host_A).
    > 2.Host_A administrator let me know about this
    > behavior.
    > 3.Host_A administrator implement a filter to reject
    > packets form my SMTP server
    > 4.I verified on my FW this type of activity
    > 5.With an sniffer between my FW internal card and my
    > SMTP server I verified that constantly (at least 7
    > times per second) there is traffic between my SMTP
    > server and Host_A.     Always 9 frames, same size,
    > same number of bytes (the set up of the connection +
    > the reject from Host_A + the quit command from my SMTP
    > server)
    > 6.I disconnect from the network my SMTP server
    > 
    > I know that my SMTP server  has been compromise but
    > how can I find out exactly the root of the problem. I
    > really would like to know how I have been attack.
    > 
    > Can someone give me a hint how to start looking at. I
    > already look at several sites trying to find this but
    > so far I haven't got any luck 
    > 
    > All feed back is appreciate. Thanks in advance
    > 
    > __________________________________________________
    > Do You Yahoo!?
    > Get personalized email addresses from Yahoo! Mail
    > http://personal.mail.yahoo.com/
    > 
    > 
    > ------------------------------------------------------------------
    > ----------
    > 
    > 
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see:
    > 
    > http://aris.securityfocus.com
    > 
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
    
    iQA/AwUBO08zyEksS4VV8BvHEQI9iACgtt1kAgxEqv4XtaMLVklLB7ffDKwAn2kf
    KAkYNNjxWPEX7zUOISKOE+uz
    =kSgX
    -----END PGP SIGNATURE-----
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 17:12:33 PDT