On 11/14/05, Levenglick, Jeff <[EMAIL PROTECTED]> wrote: > Ok.. It looks like we are all confused. > This is why I said mail: > > 1) He checked his mail logs for connects that were not rfc correct. He found > a few that did not ident correctly. The assumption now is that a smtp server > or a telnet to port 25 connected to him. (more then likely to see if his > server was not setup/patched correctly and would send spam) > > So, based on that, one would assume that you would connect back to the ip in > your log file on port 25 to see who they are. I think the problem is he did > not say what port he connected on to ident them. Yes, it could be > ident,netbui,smtp,ftp....ect > > 2) He did say that he thought there was a backdoor in the mail server. > Because he is looking for and said mail server, I am assuming he connected on > port 25 to them. Someone said nmap..ect to see a hidden port. Why.. assuming > the above, we know the port and the assumption is an ftp server on port 25. > (very strange, but who knows) > > Mike, > > what port did you connect ot them on? > also...if you connect on 25, what did it ident itself as? (ie: smtp server > version or ftp server version) > > rather then go through all of that...go to arin.net, do a whois on the ip > address you have and if you have the time, call them. > I would not run nmap against someone else, you could find yourself in legal > trouble.
Just to clarify some of the confusion: I'm looking at logs on *my* email server, and network packet captures from *my* network. My email server is sending out ident requests, to port 113 on the affected destination servers. The replies received, instead of being in the standard format as dictated by RFC 1413, are coming back with the "220 ..:: €lit€-Cr€w Rulez ::..." and "530 Not logged in..." messages. These messages are coming from the destination servers. As an earlier poster stated, they fit the format of an ftp transaction, aka RFC 959. My server is (to my knowledge) acting fine. Most destination servers return a correctly formatted ident reply when my server contacts them. I'm only receiving the "220 ..:: €lit€-Cr€w Rulez ::..." messages from 6 (six) distinct IPs. The comment about the backdoor was idle speculation upon my part about what these messages signified. After reviewing RFC 959 (ftp), I'm quite certain they are in fact coming from an ftp daemon listening on port 113 (ident). I don't really want to post IPs here to a public mailing list, but they appear to be scattered through the US/Europe. I hope this clears things up. Mike
