[unisog] Spammers compromising systems
Martin, James E.
martin at more.net
Thu Feb 6 22:41:48 GMT 2003
Over the last couple of weeks, we've had two SpamCop complaints that traced back to Win2k or XP boxes running an unauthorized SMTP agent at an unregistered port - we've been unable to get decent forensics from one remote site and have accepted the three R's (remove/reformat/rebuild to current stable) with new strong passwords from that admins as an alternate. With tools like X-Scan, it's a nice day when we *don't* find a machine with Dameware or ServU downstream. Adding a SMTP engine is a new twist...it's still an admin compromise.
Today's rogue SMTP prompt looked like this:
telnet <IP deleted> 1185
Trying <IP deleted>...
Connected to <IP deleted>.
Escape character is '^]'.
220 SMTP Server Service ready
Connection closed by foreign host.
Thanks for the tip - we'll know to look for Wingate on today's box.
James E. Martin
MOREnet Network Security Coordinator
University of Missouri System
voice: 573-884-7200 fax: 573-884-6673
From: E. Larry Lidz [mailto:ellidz at eridu.uchicago.edu]
Sent: Thursday, February 06, 2003 4:12 PM
To: unisog at sans.org
Subject: [unisog] Spammers compromising systems
We've seen a couple of machines in the last couple of days which were
compromised by intruders and which have had a program called WinGate
installed on it. Part of WinGate appears to be an SMTP agent which the
intruders use to send spam through the system.
I don't recall us ever having seen spammers actually break into
systems before. It doesn't come as a major surprise, but I thought I'd
mention it as I suspect it to become as common place as intruders
breaking into machines to set up sites to distribute copyrighted
E. Larry Lidz Phone: +1 773 702-2208
Sr. Network Security Officer Fax: +1 773 834-8444
Network Security Center, The University of Chicago
More information about the unisog