[lug] outgoing port 220 exploit?

Elyse M. Grasso emgrasso at data-raptors.com
Mon Jan 19 11:29:53 MST 2004 

On Monday 19 January 2004 08:24 am, David Anselmi wrote:
> As you've noticed, you can't sniff the packets if they are blocked by 
> ipchains.  They wouldn't tell you anything more than the ipchains logs 
> tell you anyway - src/dst ip/port - since they aren't actually going 
> out.  If you want to find out what the session is trying to do, open the 
> firewall and let it out.  Then you can capture the whole session and 
> probably figure out quite a bit.
> 
> It is also problematic to figure out which process is trying to open the 
> connection.  strace would tell you, if you knew which program to trace. 
>   lsof will tell you, if you manage to run it while the socket it open. 
>   Looking below the IP stack (where ipchains and tcpdump operate) won't 
> tell you.  I don't see anything in /proc that connects processes to 
> sockets (not that I know what everything there means).
> 
> D. Stimits wrote:
> [...]
> > 
> > Ok I found out a pattern people might find interesting. More than one 
> > KRUD machine (so far KRUD 7.3 and 8.0) are both doing this. One after 
> > the other, as one tries an outbound port 220 from local port 6129, the 
> > other will also try the SAME outbound IP. So someone is doing something 
> > like a port scan that is triggering the port 220 relay attempt on 
> > separate machines. I am beginning to think the inbound trigger is some 
> > sort of broadcast or non-tcp trigger. Not sure yet.
> 
> You said these are SYN packets being blocked, right?  Is the interval 
> regular?  What destination IPs are there?  Posting the relevant logs 
> might get you better answers.
> 
> As for both machines doing this, what is the timing?  And what is the 
> difference between their clocks.  You mentioned mozilla, could this be 
> the "check for new mail every 10 minutes" feature?  Mozilla is an imap 
> client so maybe some built-in or misconfiguration is trying to use imap 
> (do you have any accounts set up in it that use imap?)
> 
> You can use tcpdump/ethereal to catch inbound traffic that triggers the 
> imap response but I doubt you'll see any.  And if there is any it would 
> be to a port that you listen on (if the machine has been rooted you 
> can't trust it to show you the truth, obviously).
> 
> Dave
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
> 
A quick google for port 220 gives this as one of the first results:
 Just an fyi to all unix system admins out there. While locking down my
 box I discovered via portscan that port 220 was open. I later
 discovered that my ps -eaf command was compromised and that port was a
 backdoor entry. The two hidden processes where cronnd -q and imap3d,
 so something to look out for.
 -solaris 8
 




-- 
Elyse Grasso

http://www.data-raptors.com    Computers and Technology
http://www.astraltrading.com   Divination and Science Fiction

More information about the LUG mailing list