[unisog] Spammers compromising systems

Martin, James E. martin at more.net
Thu Feb 6 22:41:48 GMT 2003


Over the last couple of weeks, we've had two SpamCop complaints that traced back to Win2k or XP boxes running an unauthorized SMTP agent at an unregistered port - we've been unable to get decent forensics from one remote site and have accepted the three R's (remove/reformat/rebuild to current stable) with new strong passwords from that admins as an alternate. With tools like X-Scan, it's a nice day when we *don't* find a machine with Dameware or ServU downstream. Adding a SMTP engine is a new twist...it's still an admin compromise.  

Today's rogue SMTP prompt looked like this:

telnet <IP deleted> 1185
Trying <IP deleted>...
Connected to <IP deleted>.
Escape character is '^]'.
220 SMTP Server Service ready
Connection closed by foreign host.

Thanks for the tip - we'll know to look for Wingate on today's box. 

Jim

========================================
James E. Martin                           
MOREnet Network Security Coordinator 
University of Missouri System                     
voice: 573-884-7200   fax: 573-884-6673
========================================


-----Original Message-----
From: E. Larry Lidz [mailto:ellidz at eridu.uchicago.edu]
Sent: Thursday, February 06, 2003 4:12 PM
To: unisog at sans.org
Subject: [unisog] Spammers compromising systems



We've seen a couple of machines in the last couple of days which were
compromised by intruders and which have had a program called WinGate
installed on it. Part of WinGate appears to be an SMTP agent which the
intruders use to send spam through the system.

I don't recall us ever having seen spammers actually break into
systems before. It doesn't come as a major surprise, but I thought I'd
mention it as I suspect it to become as common place as intruders
breaking into machines to set up sites to distribute copyrighted
materials.

-Larry

---
E. Larry Lidz                                        Phone: +1 773 702-2208
Sr. Network Security Officer                         Fax:   +1 773 834-8444
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml



More information about the unisog mailing list