Re: SMTP server (How can I find out the real source of an attack)

From: kath (kathat_private)
Date: Thu Jul 12 2001 - 17:47:04 PDT

Next message: ethan preston: "Re: Security Event / Customer Reporting"

Previous message: Dean Cunningham: "RE: SMTP server (How can I find out the real source of an attack)"
In reply to: MrG: "SMTP server (How can I find out the real source of an attack)"
Next in thread: Mike Lewinski: "Re: SMTP server (How can I find out the real source of an attack)"
Reply: Mike Lewinski: "Re: SMTP server (How can I find out the real source of an attack)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Well, I would say, check the version of all daemons you have, starting with
your SMTP server daemon itself.  Look to see if there were any security
patches issued that you may have not applied.

If you have a RO reference, run tripwire to check for altered system files.

You might also want to sniff packets with tcpdump and see if anyone else is
receiving the same treatment as Host_A.

Or maybe run a packet sniffer and look at what is in the packets.

- k



----- Original Message -----
From: "MrG" <p2mask2_xtiat_private>
To: <incidentsat_private>
Sent: Thursday, July 12, 2001 6:53 PM
Subject: SMTP server (How can I find out the real source of an attack)


> 1.I have a SMTP server (behind my FW) who constantly
> (>7 times per second) is trying to establish a TCP=25
> session to a host on the internet which is not a SMTP
> server (Host_A).
> 2.Host_A administrator let me know about this
> behavior.
> 3.Host_A administrator implement a filter to reject
> packets form my SMTP server
> 4.I verified on my FW this type of activity
> 5.With an sniffer between my FW internal card and my
> SMTP server I verified that constantly (at least 7
> times per second) there is traffic between my SMTP
> server and Host_A.     Always 9 frames, same size,
> same number of bytes (the set up of the connection +
> the reject from Host_A + the quit command from my SMTP
> server)
> 6.I disconnect from the network my SMTP server
>
> I know that my SMTP server  has been compromise but
> how can I find out exactly the root of the problem. I
> really would like to know how I have been attack.
>
> Can someone give me a hint how to start looking at. I
> already look at several sites trying to find this but
> so far I haven't got any luck
>
> All feed back is appreciate. Thanks in advance
>
> __________________________________________________
> Do You Yahoo!?
> Get personalized email addresses from Yahoo! Mail
> http://personal.mail.yahoo.com/
>
>
> --------------------------------------------------------------------------
--
>
>
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see:
>
> http://aris.securityfocus.com
>



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: ethan preston: "Re: Security Event / Customer Reporting"
Previous message: Dean Cunningham: "RE: SMTP server (How can I find out the real source of an attack)"
In reply to: MrG: "SMTP server (How can I find out the real source of an attack)"
Next in thread: Mike Lewinski: "Re: SMTP server (How can I find out the real source of an attack)"
Reply: Mike Lewinski: "Re: SMTP server (How can I find out the real source of an attack)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 17:34:11 PDT