[nsp-sec] Merak Mail server, TCP/32000 scanning

Chris Calvert Chris.Calvert at telus.com
Tue Sep 16 12:17:41 EDT 2008 

We've seen what appears to be scanning behaviour from a few hosts,
geographically distributed, some running versions of 8.x of Merak mail
server.  They're hitting a number of IP addresses on TCP/32000.

Is anyone familiar with Merak Mailserver (aka IceWarp)?

http://www.merakserver.ca
http://www.merakserver.ca/about_us/
http://www.icewarp.com/
http://www.icewarp.com/products/icewarp_email_server_software/index.php

Interestingly, there were vulnerabilities in older versions of Merak
relevant to that port in the past:
http://osvdb.org/9045

... And something a bit more recent:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4559

"Description
mail/include.html in IceWarp Web Mail 5.5.1, as used by Merak Mail Server
8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly
initialize the default_layout and layout_settings variables when an
unrecognized HTTP_USER_AGENT string is provided, which allows remote
attackers to access arbitrary files via a request with an unrecognized User
Agent that also specifies the desired default_layout and layout_settings
parameters. "

Looks like TCP/32000 is the remote management port, and this could be
scanning for systems that could be leveraged as http proxies.

So far, we've seen hosts in Jerusalem (213.8.116.213, mail.mosesnet.net,
AS5486), Saudi Arabia (212.24.224.148, mail4.saudiconstco.com, AS29255), and
another in Australia (129.180.224.250, mail.unepartnerships.edu.au,
AS24101), all appear to be mailservers for at least one domain.  Look at
recent raw flows, we get a number of flows that are probably just ephemeral
port matches, but a few hosts are definitely looking for hosts listening on
TCP/3200.

129.180.224.250 mail.unepartnerships.edu.au. 
Connected to 129.180.224.250.
+OK unepartnerships.edu.au Merak 8.0.3 POP3 Wed, 17 Sep 2008 01:45:49 +1000
<20080917014549 at unepartnerships.edu.au>

AS      | IP               | AS Name
24101   | 129.180.224.250  | UNE-AS-AP University of New England

213.8.116.213 mail.mosesnet.net.
Connected to 213.8.116.213.
+OK mail.mosesnet.net Merak 8.0.3 POP3 Tue, 16 Sep 2008 18:44:49 +0300
<20080916184449 at mail.mosesnet.net>

AS      | IP               | AS Name
5486    | 213.8.116.213    | SMILE-ASN Euronet Digital Communications,
(1992) LTD, Israel

212.24.224.148 mail4.saudiconstco.com.
Connected to 212.24.224.148.
+OK wplesk.zajil.net Merak 8.3.6 POP3 Tue, 16 Sep 2008 18:44:24 +0300
<20080916184424 at wplesk.zajil.net>

AS      | IP               | AS Name
29255   | 212.24.224.148   | ZAJIL-AS ZAJIL Autonomous Number in Saudi
Arabia

We're investigating for now, but can share some logs if someone in those
regions (or ISPs of the hosts) cares to investigate on their end.

Regards,

Chris
TELUS - ASN852
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4858 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080916/b1407f5d/attachment-0001.bin>

More information about the nsp-security mailing list