RE: SMTP server (How can I find out the real source of an attack)

From: Mike Batchelor (mikebatat_private)
Date: Fri Jul 13 2001 - 10:45:44 PDT

Next message: Nick FitzGerald: "Re: Security Event / Customer Reporting"

Previous message: jerat_private: "Re: Denial of service attack on port 6667"
In reply to: MrG: "SMTP server (How can I find out the real source of an attack)"
Next in thread: Dean Cunningham: "RE: SMTP server (How can I find out the real source of an attack)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Whats in the mail queue on your SMTP server?

> -----Original Message-----
> From: MrG [mailto:p2mask2_xtiat_private]
> Sent: Thursday, July 12, 2001 3:54 PM
> To: incidentsat_private
> Subject: SMTP server (How can I find out the real source of an attack)
> 
> 
> 1.I have a SMTP server (behind my FW) who constantly
> (>7 times per second) is trying to establish a TCP=25
> session to a host on the internet which is not a SMTP
> server (Host_A).
> 2.Host_A administrator let me know about this
> behavior.
> 3.Host_A administrator implement a filter to reject
> packets form my SMTP server
> 4.I verified on my FW this type of activity
> 5.With an sniffer between my FW internal card and my
> SMTP server I verified that constantly (at least 7
> times per second) there is traffic between my SMTP
> server and Host_A.     Always 9 frames, same size,
> same number of bytes (the set up of the connection +
> the reject from Host_A + the quit command from my SMTP
> server)
> 6.I disconnect from the network my SMTP server
> 
> I know that my SMTP server  has been compromise but
> how can I find out exactly the root of the problem. I
> really would like to know how I have been attack.
> 
> Can someone give me a hint how to start looking at. I
> already look at several sites trying to find this but
> so far I haven't got any luck 
> 
> All feed back is appreciate. Thanks in advance
> 
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail
> http://personal.mail.yahoo.com/
> 
> 
> ------------------------------------------------------------------
> ----------
> 
> 
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see:
> 
> http://aris.securityfocus.com
> 

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBO08zyEksS4VV8BvHEQI9iACgtt1kAgxEqv4XtaMLVklLB7ffDKwAn2kf
KAkYNNjxWPEX7zUOISKOE+uz
=kSgX
-----END PGP SIGNATURE-----



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: Nick FitzGerald: "Re: Security Event / Customer Reporting"
Previous message: jerat_private: "Re: Denial of service attack on port 6667"
In reply to: MrG: "SMTP server (How can I find out the real source of an attack)"
Next in thread: Dean Cunningham: "RE: SMTP server (How can I find out the real source of an attack)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 17:12:33 PDT