Wasn't it SIMS Discussions [EMAIL PROTECTED] who once said...
[snip]Date: Wed, 4 Feb 2004 10:36:48 -0500 From: Bill Cole <[EMAIL PROTECTED]> Subject: Re: Log interpretation for strange SMTP session
At 9:04 AM -0600 2/4/04, NetHead imposed structure on a stream of electrons, yielding:I was doing some review of my logs and stumbled upon a series of entries that has me baffled. Here is the log segment:
[snip]17:06:19 4 SMTP-947(idfanet.idfa.org) Sending 'Password:' 17:06:19 4 SMTP-947(idfanet.idfa.org) Sending 334 UGFzc3dvcmQ6\r\n 17:06:19 5 SMTP-947(idfanet.idfa.org) OT 18 of 18 bytes sent, Flags=0 17:06:19 5 SMTP-947(idfanet.idfa.org) Received 18 bytes 17:06:19 4 SMTP-947(idfanet.idfa.org) Input Line: ZGV5enF3ZHlMZQ==\r
Bill, you da man!
But another quick question. Is it reasonable to assume then that the string, "Sending 334 UGFzc3dvcmQ6\r\n" is the password? If so, that is frightening. Even if it is an "encryption", that seems fairly crackable to someone with the proper knowledge and resources (and don't all these virus writers seem to have too much of both on their hands?).
This is actually a little more complex...
SIMS says "334 UGFzc3dvcmQ6" which is a prompt. If you base64 decode "UGFzc3dvcmQ6" you get the string "Password:" In response it gets the string "ZGV5enF3ZHlMZQ==" which decodes to "deyzqwdyLe"
Note that base64 is not encryption, it is transport armoring. It is used in the 'LOGIN' form of SMTP AUTH to assure that everything said by both sides is protected from any idiosyncrasies of transport or locate character limitations.
[...]
It looks like their MTA is set up to try AUTH all the time no matter what. Very dumb, but it does not look malicious. Note the "Resources open failed" line which indicates that they were trying to log in with a username that looks like an LDAP record. De-escaping that string results in "cn=mail-idfanet.idfa.org, cn=idfanet.idfa.org, ou=Netscape Servers, o=idfa.org"
De-escaping... that's a pretty neat trick. Do you have a tool that does that or did you just do it in your head?
I have to look at the ASCII table. Easy to find, since most Unix machines (including any OSX box) have a man page with it: 'man ascii' gets me the table and the only escaped characters there are repetitive so it's pretty easy to do 'by hand.'
{cn\3Dmail-idfanet.idfa.org\2C\20cn\3Didfanet.idfa.org\2C\20ou\3DNetscape\2 0Servers\2C\20o\3Didfa.org} AUTH failed: password(deyzqwdyLe) is wrong.
Looking at the string you reference, is the "deyzqwdyLe" merely an encryption of the password? or the actual string transmitted as the password? Again, very scary!
That's the password. It is sent base64-encoded but that's the only protection.
Given that this mailing list is archived on the web, it becomes more important with every message in this thread that you contact whoever you know at IDFA and explain what they are doing, and that *AT LEAST* they need to change that password.
--
Bill Cole
[EMAIL PROTECTED]
############################################################# This message is sent to you because you are subscribed to the mailing list <[EMAIL PROTECTED]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
