Re: sending out spam through IRC server ?

From: Bronek Kozicki (brokat_private)
Date: Thu Mar 06 2003 - 07:39:02 PST

Next message: Hammer Penguin: "Anyone recognize a DDOS tool with the signature "The Matrix" and Catch Me"?"

Previous message: Thompson, Jason: "RE: TCP 445 Scan?"
In reply to: Bronek Kozicki: "sending out spam through IRC server ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Bronek Kozicki <brokat_private> wrote:
[...]

OK, problem resolved. Thanks all for help. Things were bit more
complicated than I was thinking, or rather I missed two important pieces
of the puzzle.

First piece is that we are running on the same W2K machine Apache .
Shame on me, I have not noticed it before, because it was bound to
different IP than the one reported in spam (you can run both IIS and
Apache on port 80 of one machine, is you disable IIS ConnectionPooling
and use different IPs). Anyway this Apache is configured as proxy to
some other host, using ProxyPass directive. Some of my colleagues also
configured ProxyRequest On, making this server an open proxy. Bad, bad
thing, and I was just sure that such stupid mistake cannot happen in my
network :( Because this Apache is bound to different IP, I just missed
it when searching for possible hole. Well, IP accepting connections does
not have to be the same as IP of outgoing connections, and when you add
static NAT and PAT to the picture then it's easy to miss something (this
is the other piece).

Spammers "enjoyed" it for 2 weeks, and I will be forever gratefull to
spamcop.net and anonymous spam recipients, who notified me about the
problem. Interesting thing is, that this server was an open proxy for
much longer time than 2 weeks, and suddenly many spammers became aware
of it on Feb 18th. I guess some "spam software seller" scanned it and
inserted into database. If anybody is interested, I can disclose more
details (like IPs of spammers who abused my server).

What helped me was network scanner - I logged TCP connections directed
to port 25 of the outside world servers (like legitimate SMTP traffic),
then found out that some requests had HTTP headers before "HELO"
command.

----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Hammer Penguin: "Anyone recognize a DDOS tool with the signature "The Matrix" and Catch Me"?"
Previous message: Thompson, Jason: "RE: TCP 445 Scan?"
In reply to: Bronek Kozicki: "sending out spam through IRC server ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 06 2003 - 09:05:36 PST