OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Michael Tokarev (mjttls.msk.ru)
Date: Sat Mar 09 2002 - 11:52:20 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I'm sorry for this offtopic post. But I have a question that
    I can't resolve myself, and there is noone who can do that near.

    I've set up a SMTP honeypot here that currently catches a big
    amount of spams from Alan Ralsky -- see for example
     http://www.spamhaus.org/rokso/search.lasso?evidencefile=1290
     http://www.spews.org/html/S544.html
    My real-time honeypot page is at http://www.corpit.ru/cgi-bin/h0n5yp0t

    Spam is currently coming from uu.net dialups. Funny that uunet
    has outgoing port 25 blocked for their dialups. It is known that
    ralsky's spamaware uses IP spoofing -- some other machine sends
    packets to my smtp port and claims that packets comes from a
    dialup; so my machine answers to that dialup machine, but a
    dialup machine is in contact with real sending machine.

    Currently, dialup machine is at 67.234.6.62 (shown on my honeypot
    page). Nmap reports that is is a Cisco router:

    --
    Interesting ports on 1Cust62.tnt25.dfw9.da.uu.net (67.234.6.62):
    (The 1545 ports scanned but not shown below are in state: closed)
    Port       State       Service
    23/tcp     open        telnet                  
    514/tcp    open        shell                   
    2065/tcp   open        dlsrpn                  
    2067/tcp   open        dlswpn                  
    

    Remote operating system guess: Cisco router (IOS 12.2.1) TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) IPID Sequence Generation: All zeros

    Nmap run completed -- 1 IP address (1 host up) scanned in 224 seconds -- (note that it may be machine on a busy dialup line).

    Another IP address assotiated with this is -- 64.1.121.45. This is the source of all prior relay tests. This is WinME or similar machine.

    I don't know if this 64.1.121.45 is related to current spam run in progress, but I suspect so. At least now, nmap output looks strange for it (not like when there was no spam run in progress):

    -- Host w045.z064001121.chi-il.dsl.cnc.net (64.1.121.45) appears to be up ... good. Initiating SYN Stealth Scan against w045.z064001121.chi-il.dsl.cnc.net (64.1.121.45) Adding open port 5800/tcp Adding open port 3389/tcp Adding open port 443/tcp Adding open port 1026/tcp Adding open port 139/tcp Adding open port 5900/tcp Adding open port 1030/tcp Adding open port 135/tcp Adding open port 25/tcp Adding open port 1025/tcp adjust_timeout: packet supposedly had rtt of 9282629 microseconds. Ignoring time. Adding open port 5631/tcp Adding open port 445/tcp Adding open port 80/tcp The SYN Stealth Scan took 141 seconds to scan 1549 ports. For OSScan assuming that port 25 is open and port 1 is closed and neither are firewalled For OSScan assuming that port 25 is open and port 1 is closed and neither are firewalled Insufficient responses for TCP sequencing (2), OS detection may be less accurate WARNING: OS didn't match until the try #2 Interesting ports on w045.z064001121.chi-il.dsl.cnc.net (64.1.121.45): (The 1536 ports scanned but not shown below are in state: closed) Port State Service 25/tcp open smtp 80/tcp open http 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1025/tcp open listen 1026/tcp open nterm 1030/tcp open iad1 3389/tcp open msrdp 5631/tcp open pcanywheredata 5800/tcp open vnc 5900/tcp open vnc

    Remote OS guesses: Windows NT 5 Beta2 or Beta3, Windows Me or Windows 2000 RC1 through final release, MS Windows2000 Professional RC1/W2K Advance Server Beta3, Windows Millenium Edition v4.90.3000

    Nmap run completed -- 1 IP address (1 host up) scanned in 162 seconds --

    Unfortunately, I can't convince uu.net to answer me. Moreover, them filtered (!!) my emails (blackholed my IP address) at their mail router. I don't know if they are clueless or unresponsible or whatether.

    I have prior tcpdumps of ralsky sessions, and obviously I can make new ones -- I expect this spam run will be in progress for several days (previous one was in progress for 4 days, and my honeypot captured mails for ~2m recipients).

    The question is: is it possible to say if this two machines communicates with each other for *this* spam run? Note that it maybe impossible to answer on this question from e.g. uu.net's point of view -- if those 2 machines are one near another and communicates by internal wires (not via internet).

    Previous tcpdumps are available at ftp://ftp.corpit.ru/pub/hp/ . (Spamaware uses command pipelining w/o EHLO).

    Regards, Michael. - To unsubscribe, send mail to majordomopostfix.org with content (not subject): unsubscribe postfix-users