Wasn't it SIMS Discussions [EMAIL PROTECTED] who once said...
>Date: Wed, 4 Feb 2004 10:36:48 -0500
>From: Bill Cole <[EMAIL PROTECTED]>
>Subject: Re: Log interpretation for strange SMTP session
>
>
>At 9:04 AM -0600 2/4/04, NetHead imposed structure on a stream of
>electrons, yielding:
>>I was doing some review of my logs and stumbled upon a series of entries
>>that has me baffled. Here is the log segment:
>>
[snip]
>>17:06:19 4 SMTP-947(idfanet.idfa.org) Sending 'Password:'
>>17:06:19 4 SMTP-947(idfanet.idfa.org) Sending 334 UGFzc3dvcmQ6\r\n
>>17:06:19 5 SMTP-947(idfanet.idfa.org) OT 18 of 18 bytes sent, Flags=0
>>17:06:19 5 SMTP-947(idfanet.idfa.org) Received 18 bytes
>>17:06:19 4 SMTP-947(idfanet.idfa.org) Input Line: ZGV5enF3ZHlMZQ==\r
[snip]
Bill, you da man!
But another quick question. Is it reasonable to assume then that the
string, "Sending 334 UGFzc3dvcmQ6\r\n" is the password? If so, that is
frightening. Even if it is an "encryption", that seems fairly crackable
to someone with the proper knowledge and resources (and don't all these
virus writers seem to have too much of both on their hands?).
[snip]
>
>It looks like their MTA is set up to try AUTH all the time no matter
>what. Very dumb, but it does not look malicious. Note the "Resources
>open failed" line which indicates that they were trying to log in
>with a username that looks like an LDAP record. De-escaping that
>string results in "cn=mail-idfanet.idfa.org, cn=idfanet.idfa.org,
>ou=Netscape Servers, o=idfa.org"
>
De-escaping... that's a pretty neat trick. Do you have a tool that does
that or did you just do it in your head?
>{cn\3Dmail-idfanet.idfa.org\2C\20cn\3Didfanet.idfa.org\2C\20ou\3DNetscape\2
>0Servers\2C\20o\3Didfa.org} AUTH failed: password(deyzqwdyLe) is wrong.
Looking at the string you reference, is the "deyzqwdyLe" merely an
encryption of the password? or the actual string transmitted as the
password? Again, very scary!
[snip]
Thanks so much, Bill!
================================================
| Doug Starkey |
| Network Administrator |
| Pecan Deluxe Candy Company |
| 2570 Lone Star Drive |
| Dallas, TX 75212-6308 |
| e-mail: [EMAIL PROTECTED] |
| voice: 214-631-3669 Ext. 108 |
| fax: 214-631-5833 |
================================================
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[EMAIL PROTECTED]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
