-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Whats in the mail queue on your SMTP server? > -----Original Message----- > From: MrG [mailto:p2mask2_xtiat_private] > Sent: Thursday, July 12, 2001 3:54 PM > To: incidentsat_private > Subject: SMTP server (How can I find out the real source of an attack) > > > 1.I have a SMTP server (behind my FW) who constantly > (>7 times per second) is trying to establish a TCP=25 > session to a host on the internet which is not a SMTP > server (Host_A). > 2.Host_A administrator let me know about this > behavior. > 3.Host_A administrator implement a filter to reject > packets form my SMTP server > 4.I verified on my FW this type of activity > 5.With an sniffer between my FW internal card and my > SMTP server I verified that constantly (at least 7 > times per second) there is traffic between my SMTP > server and Host_A. Always 9 frames, same size, > same number of bytes (the set up of the connection + > the reject from Host_A + the quit command from my SMTP > server) > 6.I disconnect from the network my SMTP server > > I know that my SMTP server has been compromise but > how can I find out exactly the root of the problem. I > really would like to know how I have been attack. > > Can someone give me a hint how to start looking at. I > already look at several sites trying to find this but > so far I haven't got any luck > > All feed back is appreciate. Thanks in advance > > __________________________________________________ > Do You Yahoo!? > Get personalized email addresses from Yahoo! Mail > http://personal.mail.yahoo.com/ > > > ------------------------------------------------------------------ > ---------- > > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBO08zyEksS4VV8BvHEQI9iACgtt1kAgxEqv4XtaMLVklLB7ffDKwAn2kf KAkYNNjxWPEX7zUOISKOE+uz =kSgX -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 17:12:33 PDT