hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: Relay But No Relay
GovernmentSecurity.org > System Security > E-Mail Security
andydis
Feb 26 2004, 10:41 AM
help!

lol, one of my servers is getting spammed to hell (we are talking 1000's of emails per hour), its windows 2003 with exchange 2003, IT IS NOT AN OPEN MAIL RELAY.
where if you telnet to port 25 you cannot mail from: a@a.com rcpt to: a@a.com <relay denied>

hers an extract from the logs


as you can see when its spam it comes up with "terminal", what does this mean? maybe its a clue?

more logs attached

Up to date virus scan shows nothing, even with independant stinger (mcafee)


004-02-26 05:54:31 200.217.176.14 terminal SMTPSVC2 AS1 223.123.100.3 0 DATA - <AS1yfwjHNuQuN6tdqVv000024c8@as1.autosigns.local> 250 0 132 936 3922 SMTP - - - -
2004-02-26 05:54:33 200.217.176.14 terminal SMTPSVC2 AS1 223.123.100.3 0 MAIL - +FROM:+<mikevoigtmikevoigt@HOTMAIL.COM> 250 0 55 43 0 SMTP - - - -
2004-02-26 05:54:35 200.217.176.14 terminal SMTPSVC2 AS1 223.123.100.3 0 RCPT - +TO:<mikevoigt@hotmail.com> 250 0 34 31 0 SMTP - - - -
2004-02-26 05:54:37 64.12.137.184 OutboundConnectionResponse SMTPSVC2 AS1 - 25 - - 220-rly-xj01.mx.aol.com+ESMTP+mail_relay_in-xj1.7;+Thu,+26+Feb+2004+00:53:09+-0500 0 0 82 0 109 SMTP - - - -
2004-02-26 05:54:37 64.12.137.184 OutboundConnectionCommand SMTPSVC2 AS1 - 25 EHLO - as1.autosigns.local 0 0 4 0 109 SMTP - - - -
2004-02-26 05:54:37 64.12.137.184 OutboundConnectionResponse SMTPSVC2 AS1 - 25 - - 250-rly-xj01.mx.aol.com+host217-40-149-202.in-addr.btopenworld.com 0 0 66 0 203 SMTP - - - -
2004-02-26 05:54:37 64.12.137.184 OutboundConnectionCommand SMTPSVC2 AS1 - 25 MAIL - FROM:<mikevicky1mikevicky1@KX100.NET> 0 0 4 0 203 SMTP - - - -
2004-02-26 05:54:37 64.12.137.184 OutboundConnectionResponse SMTPSVC2 AS1 - 25 - - 250+OK 0 0 6 0 312 SMTP - - - -
2004-02-26 05:54:37 64.12.137.184 OutboundConnectionCommand SMTPSVC2 AS1 - 25 RCPT - TO:<mikevicky1@aol.com> 0 0 4 0 312 SMTP - - - -
2004-02-26 05:54:37 64.12.137.184 OutboundConnectionResponse SMTPSVC2 AS1 - 25 - - 250+OK 0 0 6 0 703 SMTP - - - -
2004-02-26 05:54:37 64.12.137.184 OutboundConnectionCommand SMTPSVC2 AS1 - 25 DATA - - 0 0 4 0 703 SMTP - - - -
2004-02-26 05:54:37 64.12.137.184 OutboundConnectionResponse SMTPSVC2 AS1 - 25 - - 354+START+MAIL+INPUT,+END+WITH+"."+ON+A+LINE+BY+ITSELF 0 0 54 0 812 SMTP - - - -
2004-02-26 05:54:37 64.12.137.184 OutboundConnectionResponse SMTPSVC2 AS1 - 25 - - 250+OK 0 0 6 0 1062 SMTP - - - -
2004-02-26 05:54:37 64.12.137.184 OutboundConnectionCommand SMTPSVC2 AS1 - 25 QUIT - - 0 0 4 0 1093 SMTP - - - -
2004-02-26 05:54:38 64.12.137.184 OutboundConnectionResponse SMTPSVC2 AS1 - 25 - - 221+SERVICE+CLOSING+CHANNEL 0 0 27 0 1297 SMTP - - - -
2004-02-26 05:54:40 200.217.176.14 terminal SMTPSVC2 AS1 223.123.100.3 0 DATA - <AS1SVMum03yMJiQTyfP000024c9@as1.autosigns.local> 250 0 132 968 2984 SMTP - - - -
2004-02-26 05:54:42 200.217.176.14 terminal SMTPSVC2 AS1 223.123.100.3 0 MAIL - +FROM:+<mikevowellmikevowell@HOTMAIL.COM> 250 0 57 45 0 SMTP - - - -
2004-02-26 05:54:43 199.184.119.9 OutboundConnectionResponse SMTPSVC2 AS1 - 25 - - 220+parrot.inebraska.com+ESMTP+Postfix 0 0 38 0 125 SMTP - - - -
2004-02-26 05:54:43 199.184.119.9 OutboundConnectionCommand SMTPSVC2 AS1 - 25 EHLO - as1.autosigns.local 0 0 4 0 125 SMTP - - - -
2004-02-26 05:54:43 199.184.119.9 OutboundConnectionResponse SMTPSVC2 AS1 - 25 - - 250-parrot.inebraska.com 0 0 24 0 266 SMTP - - - -
2004-02-26 05:54:43 199.184.119.9 OutboundConnectionCommand SMTPSVC2 AS1 - 25 MAIL - FROM:<lcblcb@YAHOO.COM.JP>+SIZE=1277 0 0 4 0 266 SMTP - - - -
2004-02-26 05:54:43 199.184.119.9 OutboundConnectionResponse SMTPSVC2 AS1 - 25 - - 250+Ok 0 0 6 0 391 SMTP - - - -
2004-02-26 05:54:43 199.184.119.9 OutboundConnectionCommand SMTPSVC2 AS1 - 25 RCPT - TO:<lcb@tcgcs.com> 0 0 4 0 391 SMTP - - - -
2004-02-26 05:54:43 200.217.176.14 terminal SMTPSVC2 AS1 223.123.100.3 0 RCPT - +TO:<mikevowell@freeuk.com> 250 0 34 31 0 SMTP - - - -
2004-02-26 05:54:44 199.184.119.9 OutboundConnectionResponse SMTPSVC2 AS1 - 25 - - 450+<lcblcb@YAHOO.COM.JP>:+Sender+address+rejected:+Domain+not+found 0 0 68 0 1531 SMTP - - - -
2004-02-26 05:54:44 199.184.119.9 OutboundConnectionCommand SMTPSVC2 AS1 - 25 RSET - - 0 0 4 0 1531 SMTP - - - -
2004-02-26 05:54:44 199.184.119.9 OutboundConnectionResponse SMTPSVC2 AS1 - 25 - - 250+Ok 0 0 6 0 1891 SMTP - - - -
GSecur
Feb 26 2004, 07:53 PM
Hmm, could you run fport on the box and then paste the reults here? It might be an app loaded even if nothing comes up in AV
cecrex
Feb 26 2004, 11:14 PM
heh..
Pro21
Mar 2 2004, 11:17 AM
yes see with Fport or handle. You can have some suspicious process or services.

http://www.sysinternals.com/ntw2k/freeware/handle.shtml

And see if your server is not rootkited. Use this tool.
Last version :

http://3wdesign.es/security/principal.html?u=82pxv20n


Else active your Firewall and block all requests to see intrusions and analyse the source of problem. wink.gif

Good Luck tongue.gif
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.