[unisog] Spammers compromising systems
reillyb at georgetown.edu
Thu Feb 6 22:36:28 GMT 2003
We've seen a couple of instances of this too. The compromised host was
running WinGate FTP, Telnet, and POP3 proxies. I haven't confirmed an
SMTP agent, but it makes sense. My initial hunch was that the spammers
were redirecting to open relays via the telnet proxies.
Here's another example of the "spammers-breaking-into-machines" variety.
We recently found a compromised host that had a backdoor SMTP server
running on a non-standard port. When connected to, the server responded
with the following banner: "220 jeem.mail.pv ESMTP". Some quick Googling
found very limited list discussion from Nov/Dec 2002.
On Thu, 6 Feb 2003, E. Larry Lidz wrote:
> We've seen a couple of machines in the last couple of days which were
> compromised by intruders and which have had a program called WinGate
> installed on it. Part of WinGate appears to be an SMTP agent which the
> intruders use to send spam through the system.
> I don't recall us ever having seen spammers actually break into
> systems before. It doesn't come as a major surprise, but I thought I'd
> mention it as I suspect it to become as common place as intruders
> breaking into machines to set up sites to distribute copyrighted
> E. Larry Lidz Phone: +1 773 702-2208
> Sr. Network Security Officer Fax: +1 773 834-8444
> Network Security Center, The University of Chicago
> PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml
More information about the unisog