Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Odd identd behavior
From: Brian Smith-Sweeney (tinboxnyct.net)
Date: Mon Nov 14 2005 - 14:27:48 CST
Everyone I believe did read his message. Yes, he said mailserver logs,
but that's because the mailservers in question were connecting back to
the ident port which is fairly standard behavior. What's not standard
is that they were getting a response back from the service listening on
the ident port that was not consistent with an ident server. While 220
as you noted is a valid mailserver response, it's *not* a valid ident
The conclusion of "it looks like an FTP server" is based on the fact
that many warez kiddies install FTP servers on non-standard ports, and
that the remainder of the header (..:: ?lit?-Cr?w Rulez ::..) looks like
a warez banner. The easiest way to verify would be to attempt FTP
protocol negotiation to the port in question to see what happens, but
I'm guessing the majority of folks who posted to the list are correct:
Also, if you're going to attempt to correct people by citing RFC's, it's
best to use the right RFC. =) RFC 793 is TCP; RFC 2821 (and old 821)
discuss SMTP, which is I assume what you meant to reference.
My guess is the ::.. stuff is just to look cool, but I suppose it's
possible it has a dual purpose.
Levenglick, Jeff wrote:
> Ok.... It's a good thing we all read his message...
> He said mail server logs....
> 220 is a valid MAIL server response.
> see http://www.rfc-editor.org/rfc/rfc793.txt 220 <domain> Service
> Where did ftp come from?
> Now.. Why does it say: 220 ..:: ?lit?-Cr?w Rulez ::....530 Not logged
> Because that is what they put as the ident of the mail server- ..::
> ?lit?-Cr?w Rulez ::....530 Not logged in...
> My quick quess is that ..:: when sent to a daemon could overflow or
> maybe do something it is not supposed to. (ie: a parse bug)
> Or the mail server was hacked and they replaced the ident of the box
> with their name.
> OR the host was hacked and the host name was changed. Assuming a Unix
> box, did you check your host name? hostname or uname -a