RE: SMTP server (How can I find out the real source of an attack)

From: Dean Cunningham (Dean.Cunninghamat_private)
Date: Thu Jul 12 2001 - 18:28:12 PDT

Next message: kath: "Re: SMTP server (How can I find out the real source of an attack)"

Previous message: Nick FitzGerald: "Re: Security Event / Customer Reporting"
Maybe in reply to: MrG: "SMTP server (How can I find out the real source of an attack)"
Next in thread: kath: "Re: SMTP server (How can I find out the real source of an attack)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

What is the OS platform and what other applications run on the machine? i.e.
bind
This will help narow down for others, places to look

-----Original Message-----
From: MrG [mailto:p2mask2_xtiat_private]
Sent: Friday, 13 July 2001 10:54 AM
To: incidentsat_private
Subject: SMTP server (How can I find out the real source of an attack)

1.I have a SMTP server (behind my FW) who constantly
(>7 times per second) is trying to establish a TCP=25
session to a host on the internet which is not a SMTP
server (Host_A).
2.Host_A administrator let me know about this
behavior.
3.Host_A administrator implement a filter to reject
packets form my SMTP server
4.I verified on my FW this type of activity
5.With an sniffer between my FW internal card and my
SMTP server I verified that constantly (at least 7
times per second) there is traffic between my SMTP
server and Host_A.     Always 9 frames, same size,
same number of bytes (the set up of the connection +
the reject from Host_A + the quit command from my SMTP
server)
6.I disconnect from the network my SMTP server

I know that my SMTP server  has been compromise but
how can I find out exactly the root of the problem. I
really would like to know how I have been attack.

Can someone give me a hint how to start looking at. I
already look at several sites trying to find this but
so far I haven't got any luck 

All feed back is appreciate. Thanks in advance

__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com
***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: kath: "Re: SMTP server (How can I find out the real source of an attack)"
Previous message: Nick FitzGerald: "Re: Security Event / Customer Reporting"
Maybe in reply to: MrG: "SMTP server (How can I find out the real source of an attack)"
Next in thread: kath: "Re: SMTP server (How can I find out the real source of an attack)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 17:23:25 PDT