Re: Tracking proxies on port 1180/1182

From: Michael Scheidell (scheidellat_private)
Date: Mon Apr 21 2003 - 12:56:46 PDT

Next message: Rob Shein: "RE: SMTP Scans"

Previous message: James.Jacksonat_private: "RE: Company being War Dialed"
In reply to: Joe Stewart: "Tracking proxies on port 1180/1182"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> There was some discussion on Incidents last month about hidden Wingate 
> proxy servers being installed on systems without the owner's knowledge,
> listening on non-standard ports. I have since done some research on these 
> and have discovered they are being installed by the Sobig.a (BigBoss) virus. 
> This is something the AV companies missed in every analysis I have read. This
> is unfortunate because these proxies are being used in a big way by spammers.
> I have written an analysis of the method of infection from beginning to end:
>  
> http://www.lurhq.com/sobig.html

found mention of one in my spam log. wonder if 66.190.154.95 is spammers
ip address... also, interesting to see what happens when that comcast
customer's proxy is used to try to tell comcast they have a problem there:

3F1D43810F: reject: RCPT from
bgp552493bgs.ewndsr01.nj.comcast.net[68.38.184.185]: 554 Service
unavailable; Client host [68.38.184.185] blocked using
socks.relays.osirusoft.com; (2003/04/10) Open proxy: telnet(1181);
from=<Lisa2923fat_private> to=<spamtrapat_private> proto=SMTP
helo=<66.190.154.95>

use it to talk to comcast's smtp server, just for fun.
 host -t mx comcast.net
comcast.net mail is handled by 0 mx00.comcast.net.
telnet 68.38.184.185 1181
MNGTR>mx00.comcast.net 25

mx00.comcast.net 25
Connecting to host mx00.comcast.net...Connected
571 Blocked for abuse 4/6/2003 Please send blacklist removal requests to
blacklist_comcastnetat_private - Be sure to include your mail
server IP address

----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------

Next message: Rob Shein: "RE: SMTP Scans"
Previous message: James.Jacksonat_private: "RE: Company being War Dialed"
In reply to: Joe Stewart: "Tracking proxies on port 1180/1182"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 21 2003 - 14:31:43 PDT