Ab heute wird zurück gespammt!
Nunja – leider nur ein Tropfen in den Vulkan. In den letzten Tagen ist das Spam-Aufkommen hier um einige 100% gestiegen. Teilweise sogar “Werbung” für deutsche Seiten. Da frag ich mich doch, wer glaubt sowas ist gut für seinen Ruf?!
Hey du, kauf meine Rolex!
Hey du, kauf meine Rolex!
Hey du, kauf meine Rolex!
Naja, wie auch immer einer der “Spamschleudern” aus China ist noch online, und wer hätts gedacht ne W2k3 Kiste mit allen möglichen Diensten. Komischer weise nicht dem M$Smtp – der spackt wohl bei den vielen Spams ab.
telnet 60.247.2.241 25 220 CCProxy 6.4.2 SMTP Service Ready FICKEN DU SPAMMER! 501 command argument is not acceptable
Ich frage mich gerade ob der Server gehackt oder dazu da ist um Spams zu verteilen – mal schauen was wir noch alles rausfinden können:
Ja, die Kiste is in Cina – super da werden die etwas brauchen bis die mich finden…
schnell nochmal schauen – blos keinen link hier einbauen auf die!
Verflucht, wo ist mein nmap? Achja da war doch was…
(Niemals beim Mirror-Raid recover die falsche HDD als Src verwenden! Lernen durch schmerzen…)
C:\nmap-4.76>nmap -v -A 60.247.2.241
Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-16 22:30 Westeuropõische Normalzeit
Initiating Ping Scan at 22:30
Scanning 60.247.2.241 [2 ports]
Completed Ping Scan at 22:30, 0.88s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:30
Completed Parallel DNS resolution of 1 host. at 22:30, 0.91s elapsed
Initiating SYN Stealth Scan at 22:30
Scanning 60.247.2.241 [1000 ports]
Discovered open port 443/tcp on 60.247.2.241
Discovered open port 80/tcp on 60.247.2.241
Discovered open port 23/tcp on 60.247.2.241
Discovered open port 25/tcp on 60.247.2.241
Discovered open port 3389/tcp on 60.247.2.241
Discovered open port 119/tcp on 60.247.2.241
Discovered open port 1025/tcp on 60.247.2.241
Discovered open port 110/tcp on 60.247.2.241
Discovered open port 2121/tcp on 60.247.2.241
Discovered open port 1080/tcp on 60.247.2.241
Increasing send delay for 60.247.2.241 from 0 to 5 due to 119 out of 396 dropped
probes since last increase.
SYN Stealth Scan Timing: About 66.93% done; ETC: 22:32 (0:00:30 remaining)
SYN Stealth Scan Timing: About 71.63% done; ETC: 22:33 (0:00:39 remaining)
SYN Stealth Scan Timing: About 82.08% done; ETC: 22:33 (0:00:30 remaining)
Discovered open port 8080/tcp on 60.247.2.241
Completed SYN Stealth Scan at 22:35, 270.17s elapsed (1000 total ports)
Initiating Service scan at 22:35
Scanning 11 services on 60.247.2.241
Completed Service scan at 22:37, 124.03s elapsed (11 services on 1 host)
Initiating OS detection (try #1) against 60.247.2.241
Retrying OS detection (try #2) against 60.247.2.241
60.247.2.241: guessing hop distance at 13
Initiating Traceroute at 22:37
Completed Traceroute at 22:37, 2.17s elapsed
Initiating Parallel DNS resolution of 15 hosts. at 22:37
Completed Parallel DNS resolution of 15 hosts. at 22:37, 6.01s elapsed
SCRIPT ENGINE: Initiating script scanning.
Initiating SCRIPT ENGINE at 22:37
Completed SCRIPT ENGINE at 22:38, 30.63s elapsed
Host 60.247.2.241 appears to be up ... good.
Interesting ports on 60.247.2.241:
Not shown: 984 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet CCProxy telnet configuration
25/tcp open smtp-proxy CCProxy smtp proxy 6.4.2
|_ SMTPcommands: EHLO SVCTAG-55VS72X, 250 AUTH LOGIN
80/tcp open http?
|_ HTML title: Site doesn't have a title.
110/tcp open pop3-proxy CCProxy pop3d 6.4.2
|_ POP3 Capabilites: capa
119/tcp open nntp-proxy CCProxy NNTP proxy
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
443/tcp open https?
|_ HTML title: Site doesn't have a title.
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1025/tcp open msrpc Microsoft Windows RPC
1080/tcp open socks5 (No authentication; connection ok)
2121/tcp open ftp
3389/tcp open microsoft-rdp Microsoft Terminal Service
4444/tcp filtered krb524
8080/tcp open http-proxy?
1 service unrecognized despite returning data. If you know the service/version,
please submit the following fingerprint at http://www.insecure.org/cgi-bin/servi
cefp-submit.cgi :
SF-Port2121-TCP:V=4.76%I=7%D=3/16%Time=49BEC61B%P=i686-pc-windows-windows%
SF:r(NULL,79,"220-CCProxy\x20FTP\x20Service\r\n220-you\x20need\x20to\x20in
SF:put\x20userid@site\x20as\x20login\x20name\.\r\n220\x20Example:\x20user\
SF:x20anonymous@ftp\.netscape\.com\r\n")%r(Help,79,"220-CCProxy\x20FTP\x20
SF:Service\r\n220-you\x20need\x20to\x20input\x20userid@site\x20as\x20login
SF:\x20name\.\r\n220\x20Example:\x20user\x20anonymous@ftp\.netscape\.com\r
SF:\n")%r(SMBProgNeg,79,"220-CCProxy\x20FTP\x20Service\r\n220-you\x20need\
SF:x20to\x20input\x20userid@site\x20as\x20login\x20name\.\r\n220\x20Exampl
SF:e:\x20user\x20anonymous@ftp\.netscape\.com\r\n");
Device type: general purpose
Running (JUST GUESSING) : Microsoft Windows 2003 (85%)
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 (85%), Microsoft Window
s Server 2003 SP1 or SP2 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 13 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Service Info: OS: Windows
TRACEROUTE (using port 389/tcp)
HOP RTT ADDRESS
1 0.00 localhost (256.256.256.1)
2 63.00 217.0.116.86
3 79.00 217.0.70.18
4 78.00 217.239.37.122
5 343.00 202.97.73.9
6 359.00 202.97.52.82
7 328.00 202.97.52.101
8 329.00 202.97.60.6
9 344.00 202.97.53.125
10 609.00 202.97.53.106
11 360.00 bj141-131-54.bjtelecom.net (219.141.131.54)
12 344.00 bj141-130-101.bjtelecom.net (219.141.130.101)
13 343.00 bj141-130-38.bjtelecom.net (219.141.130.38)
14 359.00 60.247.2.241
Read data files from: nmap-4.76
OS and Service detection performed. Please report any incorrect results at http:
//nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 443.83 seconds
Raw packets sent: 1821 (82.770KB) | Rcvd: 1065 (44.177KB)
Aha, quasi eine “wir installieren alles an Proxy was wir finden”.
Ist wohl das hier installiert… Um die richtige Quelle der Spam´s zu vertuschen, denke ich mal. Quasi ein selbst gebauter Zombie. Mit dem RPC könnte sich einer aus Europa etwas schwer tun – wenn man den Zeichensatz bedenkt… Aktuell ist der CCProxy in der Version 6.63 auf dem Server ist scheinbar die 6.4.2 installiert.
CCProxy Server HTTP 'CONNECT' Request Buffer Overflow Vulnerability CCProxy is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Attackers could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely cause denial-of-service conditions. This issue affects CCProxy 6.61; other versions may also be affected. Solution: The vendor has released an update. Please see the references for more information.
Sososo, da hat jemand nicht aufgepasst.
Zur Info – hier das HTTP Protokoll
Ok, dummerweise finde keinen fertigen Src für den Exploid 
Und hab im mein Keybaord Asche fallen lassen *grml* …
Ich mach mal morgen weiter, hoffentlich ist der dann noch da…
