> You might also want to sniff packets with tcpdump and see if anyone else is > receiving the same treatment as Host_A. > > Or maybe run a packet sniffer and look at what is in the packets. If the initial TCP handshake never completes, you won't get far looking at the packets. But there's another way. If you've a spare computer and can afford to take down that primary server for a little while, run this test: 1) Renumber the offending server (A) within the network it's trying to contact. Make it one IP higher or lower and then set it's gateway address to be the one it's trying to contact. The subnet mask can be a class C 255.255.255.0. 2) Setup another temporary SMTP server (B) and assign it the gateway address from #1 above. You can make it's gateway address the address from Server A (on the same ethernet segment you really don't need the gateways assigned). 3) Hook up servers A & B via crossover cable or alone on a hub and verify they can ping each other. 4) Look at the logs on server B. If Server A tries to send e-mail, you should be able to tell what domain is on the receiving end. Then define that user/domain as local to server B and let it go-- if it's really trying to send e-mail you'll have a copy for review. I used this technique when investigating the QAZ virus. It didn't quite work, I'm not sure if it's because the virus was coded to expect some response line my temporary MTA wasn't giving, or if the virus wasn't actually meant to send a complete e-mail anywhere (i.e. the creators were just scanning the SMTP connection logs for their victims-- why waste the bandwidth and cycles when all that's needed is an IP address). Mike ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 11:08:57 PDT