SMTP activity

[john]

Archived from groups: comp.security.firewalls (More info?)

I noticed a lot SMTP activity from a workstation that should not be sending
that much email. When I asked the user about it, they reported that they
had not been sending email at all. I have scan the machine for viruses, and
it appears to come up negative.

Is there another explanation for this activity?

John

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

John wrote:
> I noticed a lot SMTP activity from a workstation that should not be sending
> that much email. When I asked the user about it, they reported that they
> had not been sending email at all. I have scan the machine for viruses, and
> it appears to come up negative.
>
> Is there another explanation for this activity?
>
> John

OK. Let's see.

1. The machine is doing outbound connects to port 25.
2. The machine is a workstation, and should not be doing outbounds
to 25.
3. The user reports that HE's not running any processes that
would go outbound to 25.


4. Therefore, it's VERY likely that there's a NON-user process
(ie, server) doing outbounds to 25.


5. But, server processes on workstations going outbound to 25
are almost ALWAYS trojans / viruses / or rogue servers
controlled by third parties.
6. Therefore, your user's workstation almost certainly has
"trojans / viruses / or rogue servers controlled by
third parties".


7. But, your virus scanner isn't finding anything.
8. However, most virus scanners will NOT detect trojans or
installed rogue servers, AND many times will not detect
recently discovered viruses. Further, much recent malware
mucks around with any security processes you have running.
9. Therefore, your user's workstation is VERY likely infected
and / or controlled by a virus or third party process
your scanner doesn't detect, or has been prevented from
detecting.


10. Consequently, most likely you don't need another "explanation
for this activity", you just need other scanning methods
or tools. ZoneAlarm, Kerio or whatever, will often detect
any outbound malware processes IF installed after the
malware is -- safemode installation is your best bet. The
Sysinternals "autoruns" program will allow you to ID anything
that's autoloaded at startup. Knoppix will let you boot,
and examine the drive for files that shouldn't be there.
If the drive has an FAT32 filesystem, you can also delete
the alien files; if you have NTFS filesystems, you may be
able to install and run the recovery console, etc.

 

[bill]

Archived from groups: comp.security.firewalls (More info?)

Bluto wrote:

> John wrote:
>
>> I noticed a lot SMTP activity from a workstation that should not be
>> sending
>> that much email. When I asked the user about it, they reported that they
>> had not been sending email at all. I have scan the machine for
>> viruses, and
>> it appears to come up negative.
>>
>> Is there another explanation for this activity?
>>
>> John
>
>
> OK. Let's see.
>
> 1. The machine is doing outbound connects to port 25.

1 - How do you know this machine is doing outbound connects to port 25.
Ever hear of source address spoofing?

> 2. The machine is a workstation, and should not be doing outbounds
> to 25.

2 - Any email client that sends messages makes outbound SMTP connections
unless it's using IMAP. POP3 doesn't accept messages. I can configure
mozilla to send SMTP to any number of hosts.

> 3. The user reports that HE's not running any processes that
> would go outbound to 25.
>
>
> 4. Therefore, it's VERY likely that there's a NON-user process
> (ie, server) doing outbounds to 25.
>
>
> 5. But, server processes on workstations going outbound to 25
> are almost ALWAYS trojans / viruses / or rogue servers
> controlled by third parties.
> 6. Therefore, your user's workstation almost certainly has
> "trojans / viruses / or rogue servers controlled by
> third parties".
>
>
> 7. But, your virus scanner isn't finding anything.
> 8. However, most virus scanners will NOT detect trojans or
> installed rogue servers, AND many times will not detect
> recently discovered viruses. Further, much recent malware
> mucks around with any security processes you have running.

8 - Any virus scanner that doesn't find a trojan is worthless. You pay
for them to detect these things, don't you?

> 9. Therefore, your user's workstation is VERY likely infected
> and / or controlled by a virus or third party process
> your scanner doesn't detect, or has been prevented from
> detecting.
>
>
> 10. Consequently, most likely you don't need another "explanation
> for this activity", you just need other scanning methods
> or tools. ZoneAlarm, Kerio or whatever, will often detect
> any outbound malware processes IF installed after the
> malware is -- safemode installation is your best bet. The
> Sysinternals "autoruns" program will allow you to ID anything
> that's autoloaded at startup. Knoppix will let you boot,
> and examine the drive for files that shouldn't be there.
> If the drive has an FAT32 filesystem, you can also delete
> the alien files; if you have NTFS filesystems, you may be
> able to install and run the recovery console, etc.

10 - My suggestion - run a packet sniffer (ethereal works nicely) and
check the packets. Look for the MAC that's sending the messages. Then,
if your switch is manageable, look up the port(s) that are using that
MAC address. That will identify which workstation is sending the
traffic. Then, start debugging the workstation. Chances are that it's
not the machine you might think it is.

 

[john]

Archived from groups: comp.security.firewalls (More info?)

Thanks for that clear analysis. <g> I suppose I can't deny the facts.
I'll check out your suggestions, and hopefully get this cleaned up.

Thanks again,

John


"Bluto" <arf-arf@doubleclick.net> wrote in message
news:ke-dnckyJoSmJvTdRVn-hg@comcast.com...
> John wrote:
> > I noticed a lot SMTP activity from a workstation that should not be
sending
> > that much email. When I asked the user about it, they reported that
they
> > had not been sending email at all. I have scan the machine for viruses,
and
> > it appears to come up negative.
> >
> > Is there another explanation for this activity?
> >
> > John
>
> OK. Let's see.
>
> 1. The machine is doing outbound connects to port 25.
> 2. The machine is a workstation, and should not be doing outbounds
> to 25.
> 3. The user reports that HE's not running any processes that
> would go outbound to 25.
>
>
> 4. Therefore, it's VERY likely that there's a NON-user process
> (ie, server) doing outbounds to 25.
>
>
> 5. But, server processes on workstations going outbound to 25
> are almost ALWAYS trojans / viruses / or rogue servers
> controlled by third parties.
> 6. Therefore, your user's workstation almost certainly has
> "trojans / viruses / or rogue servers controlled by
> third parties".
>
>
> 7. But, your virus scanner isn't finding anything.
> 8. However, most virus scanners will NOT detect trojans or
> installed rogue servers, AND many times will not detect
> recently discovered viruses. Further, much recent malware
> mucks around with any security processes you have running.
> 9. Therefore, your user's workstation is VERY likely infected
> and / or controlled by a virus or third party process
> your scanner doesn't detect, or has been prevented from
> detecting.
>
>
> 10. Consequently, most likely you don't need another "explanation
> for this activity", you just need other scanning methods
> or tools. ZoneAlarm, Kerio or whatever, will often detect
> any outbound malware processes IF installed after the
> malware is -- safemode installation is your best bet. The
> Sysinternals "autoruns" program will allow you to ID anything
> that's autoloaded at startup. Knoppix will let you boot,
> and examine the drive for files that shouldn't be there.
> If the drive has an FAT32 filesystem, you can also delete
> the alien files; if you have NTFS filesystems, you may be
> able to install and run the recovery console, etc.
>

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Tue, 30 Mar 2004 13:10:43 -0800, Bill spoketh

>> 1. The machine is doing outbound connects to port 25.
>
>1 - How do you know this machine is doing outbound connects to port 25.
>Ever hear of source address spoofing?

There are other means of identifying a computer than IP address.
Matching IP address, MAC address and interface on switch will pretty
much narrow it down to one source...

>
>> 2. The machine is a workstation, and should not be doing outbounds
>> to 25.
>
>2 - Any email client that sends messages makes outbound SMTP connections
>unless it's using IMAP. POP3 doesn't accept messages. I can configure
>mozilla to send SMTP to any number of hosts.

Most corporate solutions does not have clients that uses SMTP. They hand
of the message to the server, and then the server sends it out using
SMTP. Since this appears to be a corporate environment, I wouldn't
expect a mail client on a computer to send any outbound SMTP unless the
user has configured a secondary mail client...

>> 7. But, your virus scanner isn't finding anything.
>> 8. However, most virus scanners will NOT detect trojans or
>> installed rogue servers, AND many times will not detect
>> recently discovered viruses. Further, much recent malware
>> mucks around with any security processes you have running.
>
>8 - Any virus scanner that doesn't find a trojan is worthless. You pay
>for them to detect these things, don't you?
>

Totally agree. Most virus scanners picks up most trojans. There may have
been a discrepancy earlier regarding what was considered a trojan and
what was not, but todays corporate anti-virus software picks up pretty
much everything.



Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

You bring up a lot of good points, but I think they're aimed at the
wrong target.

If a corporate system gets infected, it's more the fault of the
administrator and corporate policy than it is the AV software.

All corporate anti-virus software has the ability to remove attachments
from incoming e-mails based on extensions. That means that there are
simple ways of effectively blocking all executable attachments before
they reach the client.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

You bring up a lot of good points, but I think they're aimed at the
wrong target.

If a corporate system gets infected, it's more the fault of the
administrator and corporate policy than it is the AV software.

All corporate anti-virus software has the ability to remove attachments
from incoming e-mails based on extensions. That means that there are
simple ways of effectively blocking all executable attachments before
they reach the client. Some companies even block non-executable
attachments which are known to carry viruses (MS Word, MS Excel, etc).

All virus signatures should be updated at least every 24 hours.
Scheduling works fine on the corporate products I've used, so that's not
an issue. Any administrator that hasn't set their AV software to update
itself every night has greatly underestimated the threat of current
viruses. I have not had any issues with the scheduling service on any
NT4 server or W2K server, but maybe that's just me...

There are little protection against day-zero viruses. You can secure IE
by applying proper policy, which with AD is a fairly uncomplicated task.
Blocking Active-X by policy is a simple matter, as is restricting
Java/JavaScript.

So, there are ways to limit your exposure to these threats. The fact
that some companies still are infected just goes to show that some
admins have more money than brains, or that upper management has no clue
how expensive downtime is and how little it costs to protect against it.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Wed, 31 Mar 2004 12:24:35 GMT, Lars M. Hansen
<badnews@hansenonline.net> wrote:

>There are little protection against day-zero viruses. You can secure IE
>by applying proper policy, which with AD is a fairly uncomplicated task.
>Blocking Active-X by policy is a simple matter, as is restricting
>Java/JavaScript.

Would you recommend restricting Java/JavaScript and blocking
Activex? I ask it because it seems that many corporate web sites are
adopting all these techniques in their sites. For instance Canada Post
(www.canadapost.ca) has argued with me that 'text-only' means 'with
no graphics', but they can use Flash, Java, etc.

Geo

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Wed, 31 Mar 2004 16:17:26 GMT, GEO Me spoketh

>On Wed, 31 Mar 2004 12:24:35 GMT, Lars M. Hansen
><badnews@hansenonline.net> wrote:
>
>>There are little protection against day-zero viruses. You can secure IE
>>by applying proper policy, which with AD is a fairly uncomplicated task.
>>Blocking Active-X by policy is a simple matter, as is restricting
>>Java/JavaScript.
>
> Would you recommend restricting Java/JavaScript and blocking
>Activex? I ask it because it seems that many corporate web sites are
>adopting all these techniques in their sites. For instance Canada Post
>(www.canadapost.ca) has argued with me that 'text-only' means 'with
>no graphics', but they can use Flash, Java, etc.
>
> Geo

With the proper use of blocking ActiveX/Java/JavaScript and using Zones,
one can ensure that untrusted sites doesn't get to run anything funky,
yet trusted sites gets a little more leeway. So, yes, I would block it
for sites in the "Internet Zone" (which equates to the "High" setting),
and using a "Low" setting on the "Trusted Zone". Whether to trust
CanadaPost.ca would be up to you

Although I haven't used a text-only browser in about 15 years, I think
text-only means "text-only" meaning that if it's not text, the browser
ignores it.


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Wed, 31 Mar 2004 18:53:57 GMT, Lars M. Hansen
<badnews@hansenonline.net> wrote:

>With the proper use of blocking ActiveX/Java/JavaScript and using Zones,
>one can ensure that untrusted sites doesn't get to run anything funky,
>yet trusted sites gets a little more leeway. So, yes, I would block it
>for sites in the "Internet Zone" (which equates to the "High" setting),
>and using a "Low" setting on the "Trusted Zone". Whether to trust
>CanadaPost.ca would be up to you
>
>Although I haven't used a text-only browser in about 15 years, I think
>text-only means "text-only" meaning that if it's not text, the browser
>ignores it.

Thank you very much.
With a dial-up conection some of these Flash/Java/JavaScript sites
become very slow to load.

Geo

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen wrote:

>With the proper use of blocking ActiveX/Java/JavaScript and using Zones,
>one can ensure that untrusted sites doesn't get to run anything funky,

With XP's IE, "zones" are completely worthless. Any website can
execute code on your machine in your "trusted zone". No patch from
MotherShip yet.

I'd like to hear how the famous "I've never been compromised" crew
handles that. Oh yeah, I guess they never use "ActiveX/Java/
JavaScript". In that case, the only difference between IE and lynx is
the pretty pictures.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On 1 Apr 2004 00:02:15 -0600, Micheal Robert Zium spoketh

>Lars M. Hansen wrote:
>
>>With the proper use of blocking ActiveX/Java/JavaScript and using Zones,
>>one can ensure that untrusted sites doesn't get to run anything funky,
>
>With XP's IE, "zones" are completely worthless. Any website can
>execute code on your machine in your "trusted zone". No patch from
>MotherShip yet.
>

Really? Any references to this anywhere?

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On 1 Apr 2004 00:02:15 -0600, Micheal Robert Zium spoketh

>Lars M. Hansen wrote:
>
>>With the proper use of blocking ActiveX/Java/JavaScript and using Zones,
>>one can ensure that untrusted sites doesn't get to run anything funky,
>
>With XP's IE, "zones" are completely worthless. Any website can
>execute code on your machine in your "trusted zone". No patch from
>MotherShip yet.
>
>I'd like to hear how the famous "I've never been compromised" crew
>handles that. Oh yeah, I guess they never use "ActiveX/Java/
>JavaScript". In that case, the only difference between IE and lynx is
>the pretty pictures.

Sites added by a user to the trusted zone are there so that the special
features on the site in question will indeed run. So, that's a "by
design feature" and doesn't require a fix. If you (or others) feel that
the policy for the "trusted zone" are too lax, you are free to edit the
rules to better suit your needs.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen wrote:

>On 1 Apr 2004 00:02:15 -0600, Micheal Robert Zium spoketh
>
>>Lars M. Hansen wrote:
>>
>>>With the proper use of blocking ActiveX/Java/JavaScript and using Zones,
>>>one can ensure that untrusted sites doesn't get to run anything funky,
>>
>>With XP's IE, "zones" are completely worthless. Any website can
>>execute code on your machine in your "trusted zone". No patch from
>>MotherShip yet.
>>
>
>Really? Any references to this anywhere?

Tons. How many do you want?

Description:
http://www.securityfocus.com/archive/1/355149/2004-02-24/2004-03-01/0
http://www.securityfocus.com/archive/1/354447
POC:
http://ip3e83566f.speed.planet.nl/security/newone/exploit.htm

MotherShip, where are you?

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen wrote:

>On 1 Apr 2004 00:02:15 -0600, Micheal Robert Zium spoketh
>
>>Lars M. Hansen wrote:
>>
>>>With the proper use of blocking ActiveX/Java/JavaScript and using Zones,
>>>one can ensure that untrusted sites doesn't get to run anything funky,
>>
>>With XP's IE, "zones" are completely worthless. Any website can
>>execute code on your machine in your "trusted zone". No patch from
>>MotherShip yet.
>>
>>I'd like to hear how the famous "I've never been compromised" crew
>>handles that. Oh yeah, I guess they never use "ActiveX/Java/
>>JavaScript". In that case, the only difference between IE and lynx is
>>the pretty pictures.
>
>Sites added by a user to the trusted zone are there so that the special
>features on the site in question will indeed run. So, that's a "by
>design feature" and doesn't require a fix. If you (or others) feel that
>the policy for the "trusted zone" are too lax, you are free to edit the
>rules to better suit your needs.

MotherShip won't listen. 0-day is here to stay.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On 1 Apr 2004 00:02:15 -0600, Micheal Robert Zium
<mrozium@XSPAMX-yahoo.com> wrote:

>
>I'd like to hear how the famous "I've never been compromised" crew
>handles that. Oh yeah, I guess they never use "ActiveX/Java/
>JavaScript". In that case, the only difference between IE and lynx is
>the pretty pictures.
>
Win 3.1 and Luckman Mosaic work too. Can see some GIF.

Geo

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen wrote:

>On 1 Apr 2004 00:02:15 -0600, Micheal Robert Zium spoketh
>
>>Lars M. Hansen wrote:
>>
>>>With the proper use of blocking ActiveX/Java/JavaScript and using Zones,
>>>one can ensure that untrusted sites doesn't get to run anything funky,
>>
>>With XP's IE, "zones" are completely worthless. Any website can
>>execute code on your machine in your "trusted zone". No patch from
>>MotherShip yet.
>>
>
>Really? Any references to this anywhere?

What? No comments on the links I posted? I figured you'd at least
say "Damn, you're right".

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On 18 Apr 2004 16:35:06 -0500, Micheal Robert Zium spoketh

>
>What? No comments on the links I posted? I figured you'd at least
>say "Damn, you're right".

Appears to have been fixed 2 months prior to this thread:

http://www.microsoft.com/downloads/details.aspx?FamilyID=90ae6b99-93aa-4eff-b97b-a72e336c3905&displaylang=en

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen wrote:

>On 18 Apr 2004 16:35:06 -0500, Micheal Robert Zium spoketh
>
>>
>>What? No comments on the links I posted? I figured you'd at least
>>say "Damn, you're right".
>
>Appears to have been fixed 2 months prior to this thread:
>
>http://www.microsoft.com/downloads/details.aspx?FamilyID=90ae6b99-93aa-4eff-b97b-a72e336c3905&displaylang=en

Nope, the fix just came out last Wednesday.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On 18 Apr 2004 16:35:06 -0500, Micheal Robert Zium
<mrozium@XSPAMX-yahoo.com> wrote:

>Lars M. Hansen wrote:

>>>>With the proper use of blocking ActiveX/Java/JavaScript and using Zones,
>>>>one can ensure that untrusted sites doesn't get to run anything funky,

>>>With XP's IE, "zones" are completely worthless. Any website can
>>>execute code on your machine in your "trusted zone". No patch from
>>>MotherShip yet.

Do I understand this correctly? It sounds as if putting one's trust
on Mother$ is not much of an assurance. Assurances that can be
reversed in a few days or weeks?

From 'Trust me, I am a doctor', to ' Trust me. I am a used car
salesman' ?? <g>

Geo

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Wed, 21 Apr 2004 03:07:10 GMT, GEO Me spoketh

>
> Do I understand this correctly? It sounds as if putting one's trust
>on Mother$ is not much of an assurance. Assurances that can be
>reversed in a few days or weeks?
>
> From 'Trust me, I am a doctor', to ' Trust me. I am a used car
>salesman' ?? <g>
>
> Geo

You always have a choice. If you're afraid that Internet Explorer is a
threat to your computer, then download Mozilla, Opera or Netscape.

A mitigating factor with the exploit that Michael mention is that you
actually have to go to a web-site that uses this exploit to run code on
your computer. For most people, exercising some common sense would
prevent this from happening...


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Wed, 21 Apr 2004 07:38:33 -0400, Lars M. Hansen
<badnews@hansenonline.net> wrote:

>> Do I understand this correctly? It sounds as if putting one's trust
>>on Mother$ is not much of an assurance. Assurances that can be
>>reversed in a few days or weeks?

>You always have a choice. If you're afraid that Internet Explorer is a
>threat to your computer, then download Mozilla, Opera or Netscape.

Thank you. I'll keep your advice in mind.

Geo

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

GEO Me wrote:

>On 18 Apr 2004 16:35:06 -0500, Micheal Robert Zium
><mrozium@XSPAMX-yahoo.com> wrote:
>
>>Lars M. Hansen wrote:
>
>>>>>With the proper use of blocking ActiveX/Java/JavaScript and using Zones,
>>>>>one can ensure that untrusted sites doesn't get to run anything funky,
>
>>>>With XP's IE, "zones" are completely worthless. Any website can
>>>>execute code on your machine in your "trusted zone". No patch from
>>>>MotherShip yet.
>
> Do I understand this correctly? It sounds as if putting one's trust
>on Mother$ is not much of an assurance. Assurances that can be
>reversed in a few days or weeks?

It's not safe to trust any software, unless you've written it, or
audited it yourself. However, trust and Microsoft have always been
mutually exclusive. Who in their right mind would trust them?

> From 'Trust me, I am a doctor', to ' Trust me. I am a used car
>salesman' ?? <g>
>
> Geo

Yeah, like "Trust me, I have your best interests in mine...er, MIND."

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen wrote:

>A mitigating factor with the exploit that Michael mention is that you
>actually have to go to a web-site that uses this exploit to run code on
>your computer. For most people, exercising some common sense would
>prevent this from happening...

Wrong, again. Outhouse Excess is also affected (surprised?). A
specially-crafted e-mail could also ruin your day with no user input
other than viewing it. MotherShip knew about this exploit for months,
yet they dragged their feet until it was massively exploited.

Also, "most people" and "common sense" appear to be mutually exclusive
as well.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

GEO Me wrote:

>On Wed, 21 Apr 2004 07:38:33 -0400, Lars M. Hansen
><badnews@hansenonline.net> wrote:
>
>>You always have a choice. If you're afraid that Internet Explorer is a
>>threat to your computer, then download Mozilla, Opera or Netscape.
>
> Thank you. I'll keep your advice in mind.

Good idea, and sound advice.