[unisog] Question: Spam-for-Pay

Dax dax at resnet.ucsb.edu
Thu Mar 20 00:21:38 GMT 2003


	Here's a message concerning this same topic that I posted to
another mailing list a week or two ago...hope it helps.


//forwarded message

	Hello again ladies and gents-

	Over the past 7 days, I've seen a tremendous surge in spam
complaints coming from my domain.  After seeing about 10 or so in the
course of one week, I knew it had to be something of an epidemic.
	After handfuls of my RCCs came up blank, I finally examined one
machine myself, and after a bit of diagnosis, was able to determine that
WinGate proxie was the culprit - or rather, a hacked backdoor/Trojan of
Wingate, similar to this example:

http://www.megasecurity.org/Tools/Wingate3.09.html

	This is a semi-nasty one, and it opens up a web, ftp, and mail
server on the r00ted machine.  What makes it difficult to locate (at least
on a Win9.x/ME box is that it disguises itself as MMTask.exe).  There were
several other files (a couple .dlls and one more named mptask.exe, or
something like it.  Since XP shouldn't have mmtask, it's pretty obvious if
an XP machine has become compromised.
	Of course, the user I checked out had no idea what it was, how it
got there, or what in tarnation I was babbling on about.  We're working on
developing an IDS signature, but don't have much yet.  Another very
clear-cut indicator is nmap results that return this:

1180/tcp   open        unknown                 
1181/tcp   open        unknown                 
1182/tcp   open        unknown                 
1183/tcp   open        unknown                 
1184/tcp   open        unknown                 
1185/tcp   open        unknown 

	that, and the fact that you can connect to various services on
those ports.

	At any rate, I'm not sure how everyone out there is faring, but
this has been a kink in my neck for at least a week now, and I thought
this might shed some light or give some folks a heads-up.

/forwarded messsage

/Dax





More information about the unisog mailing list