Re: SMTP server (How can I find out the real source of an attack)

From: Mike Lewinski (mikeat_private)
Date: Fri Jul 13 2001 - 21:55:03 PDT

  • Next message: JohnNicholsonat_private: "Re: Security Event / Customer Reporting"

    > You might also want to sniff packets with tcpdump and see if anyone
    else is
    > receiving the same treatment as Host_A.
    >
    > Or maybe run a packet sniffer and look at what is in the packets.
    
    If the initial TCP handshake never completes, you won't get far looking
    at the packets. But there's another way.
    
    If you've a spare computer and can afford to take down that primary
    server for a little while, run this test:
    
    1) Renumber the offending server (A) within the network it's trying to
    contact. Make it one IP higher or lower and then set it's gateway
    address to be the one it's trying to contact. The subnet mask can be a
    class C 255.255.255.0.
    
    2) Setup another temporary SMTP server (B) and assign it the gateway
    address from #1 above. You can make it's gateway address the address
    from Server A (on the same ethernet segment you really don't need the
    gateways assigned).
    
    3) Hook up servers A & B via crossover cable or alone on a hub and
    verify they can ping each other.
    
    4) Look at the logs on server B. If Server A tries to send e-mail, you
    should be able to tell what domain is on the receiving end. Then define
    that user/domain as local to server B and let it go-- if it's really
    trying to send e-mail you'll have a copy for review.
    
    I used this technique when investigating the QAZ virus. It didn't quite
    work, I'm not sure if it's because the virus was coded to expect some
    response line my temporary MTA wasn't giving, or if the virus wasn't
    actually meant to send a complete e-mail anywhere (i.e. the creators
    were just scanning the SMTP connection logs for their victims-- why
    waste the bandwidth and cycles when all that's needed is an IP address).
    
    Mike
    
    
    
    
    
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jul 16 2001 - 11:08:57 PDT