On Tue, 15 Oct 2002, Hay,Daniel wrote:
> We are in the same boat, We have udp/tcp 135-139 and 445 blocked but we still see the spam. We have identified 2 hosts on campus 1 is a Linux box running RedHat 7.3 the other seems to be a Win2k box. I've done a quick check of the Linux box but it doesn't appear to be compromised, one thing I did notice from external scanning is that RPC on the Linux box is not configured correctly and allows forwarding of RPC requests. I've not checked the windows box yet but I was thinking maybe the requests where being forwarded from outside the campus network to hosts inside via these misconfigured RPC installations. Any thoughts? Am I way off base here?
Any proxy/webserver around?
The most common way to send loads of spam is abusing proxies. I have seen
at least one attampt in our lab where a cacheflow box (hardware proxy)
that was supposed to be closed for this type of CONNECT request was
succesfully used to forward spam.
Hugo.
--
All email sent to me is bound to the rules described on my homepage.
hvdkooijat_private http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 14:34:42 PDT