[unisog] Spammers compromising systems

Brian Reilly reillyb at georgetown.edu
Thu Feb 6 22:36:28 GMT 2003


Larry,

We've seen a couple of instances of this too.  The compromised host was
running WinGate FTP, Telnet, and POP3 proxies.  I haven't confirmed an
SMTP agent, but it makes sense.  My initial hunch was that the spammers
were redirecting to open relays via the telnet proxies.

Here's another example of the "spammers-breaking-into-machines" variety.  
We recently found a compromised host that had a backdoor SMTP server
running on a non-standard port.  When connected to, the server responded
with the following banner: "220 jeem.mail.pv ESMTP".  Some quick Googling
found very limited list discussion from Nov/Dec 2002.

--Brian

On Thu, 6 Feb 2003, E. Larry Lidz wrote:

> 
> We've seen a couple of machines in the last couple of days which were
> compromised by intruders and which have had a program called WinGate
> installed on it. Part of WinGate appears to be an SMTP agent which the
> intruders use to send spam through the system.
> 
> I don't recall us ever having seen spammers actually break into
> systems before. It doesn't come as a major surprise, but I thought I'd
> mention it as I suspect it to become as common place as intruders
> breaking into machines to set up sites to distribute copyrighted
> materials.
> 
> -Larry
> 
> ---
> E. Larry Lidz                                        Phone: +1 773 702-2208
> Sr. Network Security Officer                         Fax:   +1 773 834-8444
> Network Security Center, The University of Chicago
> PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml
> 





More information about the unisog mailing list