RE: SMTP server (How can I find out the real source of an attack)

From: Dean Cunningham (Dean.Cunninghamat_private)
Date: Thu Jul 12 2001 - 18:28:12 PDT

  • Next message: kath: "Re: SMTP server (How can I find out the real source of an attack)"

    What is the OS platform and what other applications run on the machine? i.e.
    bind
    This will help narow down for others, places to look
    
    -----Original Message-----
    From: MrG [mailto:p2mask2_xtiat_private]
    Sent: Friday, 13 July 2001 10:54 AM
    To: incidentsat_private
    Subject: SMTP server (How can I find out the real source of an attack)
    
    
    1.I have a SMTP server (behind my FW) who constantly
    (>7 times per second) is trying to establish a TCP=25
    session to a host on the internet which is not a SMTP
    server (Host_A).
    2.Host_A administrator let me know about this
    behavior.
    3.Host_A administrator implement a filter to reject
    packets form my SMTP server
    4.I verified on my FW this type of activity
    5.With an sniffer between my FW internal card and my
    SMTP server I verified that constantly (at least 7
    times per second) there is traffic between my SMTP
    server and Host_A.     Always 9 frames, same size,
    same number of bytes (the set up of the connection +
    the reject from Host_A + the quit command from my SMTP
    server)
    6.I disconnect from the network my SMTP server
    
    I know that my SMTP server  has been compromise but
    how can I find out exactly the root of the problem. I
    really would like to know how I have been attack.
    
    Can someone give me a hint how to start looking at. I
    already look at several sites trying to find this but
    so far I haven't got any luck 
    
    All feed back is appreciate. Thanks in advance
    
    __________________________________________________
    Do You Yahoo!?
    Get personalized email addresses from Yahoo! Mail
    http://personal.mail.yahoo.com/
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    ***************************************************
    This e-mail is  not an  official  statement of  the
    Waikato  Regional  Council unless otherwise stated.
    Visit our website http://www.ew.govt.nz
    ***************************************************
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 17:23:25 PDT