[nsp-sec] Merak Mail server, TCP/32000 scanning

Smith, Donald Donald.Smith at qwest.com
Tue Sep 16 15:24:08 EDT 2008 

Chris, I have seen something like this in the past reported to the
handlers group and recall googling about it but not reaching a
conclusion.

However when I looked at the ports list at isc.sans.org I see several
LARGE spike in targets while sources are a bit spiky but range in the
6-30 range.
http://isc.sans.org/port.html?port=32000

# portascii.html 
# Start Date: 2008-08-17 
# End Date: 2008-09-16
# Port: 32000
# created: Tue, 16 Sep 2008 19:19:25 +0000
# Date in GMT. YYYY-MM-DD format.

date	records	targets	sources	tcpratio
2008-08-17	4240	2474	28	100
2008-08-18	28986	24043	22	100
2008-08-19	1127	374	24	100
2008-08-20	801	275	26	80
2008-08-21	1097	476	21	100
2008-08-22	827	364	24	100
2008-08-23	424	193	13	100
2008-08-24	561	274	15	100
2008-08-25	753	253	17	100
2008-08-26	669	226	19	100
2008-08-27	766	233	23	100
2008-08-28	709	223	19	100
2008-08-29	894	195	19	100
2008-08-30	433	152	21	99
2008-08-31	624	138	21	100
2008-09-01	664	183	28	100
2008-09-02	5782	1850	23	100
2008-09-03	1552	336	24	100
2008-09-04	1073	278	25	100
2008-09-05	1108	361	24	100
2008-09-06	1187	650	23	100
2008-09-07	1911	502	24	100
2008-09-08	1315	294	24	98
2008-09-09	21751	20173	30	100
2008-09-10	1614	535	27	100
2008-09-11	986	294	28	100
2008-09-12	2227	1402	22	100
2008-09-13	807	339	25	100
2008-09-14	1089	243	31	100
2008-09-15	1036	241	31	100
2008-09-16	409	131	23	99
# (c) SANS Inst. / DShield. some rights reserved.
# Creative Commons ShareAlike License 2.5
# http://creativecommons.org/licenses/by-nc-sa/2.5/  

Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Chris Calvert
> Sent: Tuesday, September 16, 2008 10:18 AM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Merak Mail server, TCP/32000 scanning
> 
We've seen what appears to be scanning behaviour from a few hosts,
geographically distributed, some running versions of 8.x of Merak mail
server.  They're hitting a number of IP addresses on TCP/32000.

Is anyone familiar with Merak Mailserver (aka IceWarp)?

http://www.merakserver.ca
http://www.merakserver.ca/about_us/
http://www.icewarp.com/
http://www.icewarp.com/products/icewarp_email_server_software/index.php

Interestingly, there were vulnerabilities in older versions of Merak
relevant to that port in the past:
http://osvdb.org/9045

... And something a bit more recent:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4559

"Description
mail/include.html in IceWarp Web Mail 5.5.1, as used by Merak Mail
Server
8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does not properly
initialize the default_layout and layout_settings variables when an
unrecognized HTTP_USER_AGENT string is provided, which allows remote
attackers to access arbitrary files via a request with an unrecognized
User
Agent that also specifies the desired default_layout and layout_settings
parameters. "

Looks like TCP/32000 is the remote management port, and this could be
scanning for systems that could be leveraged as http proxies.

So far, we've seen hosts in Jerusalem (213.8.116.213, mail.mosesnet.net,
AS5486), Saudi Arabia (212.24.224.148, mail4.saudiconstco.com, AS29255),
and
another in Australia (129.180.224.250, mail.unepartnerships.edu.au,
AS24101), all appear to be mailservers for at least one domain.  Look at
recent raw flows, we get a number of flows that are probably just
ephemeral
port matches, but a few hosts are definitely looking for hosts listening
on
TCP/3200.

129.180.224.250 mail.unepartnerships.edu.au. 
Connected to 129.180.224.250.
+OK unepartnerships.edu.au Merak 8.0.3 POP3 Wed, 17 Sep 2008 01:45:49
+1000
<20080917014549 at unepartnerships.edu.au>

AS      | IP               | AS Name
24101   | 129.180.224.250  | UNE-AS-AP University of New England

213.8.116.213 mail.mosesnet.net.
Connected to 213.8.116.213.
+OK mail.mosesnet.net Merak 8.0.3 POP3 Tue, 16 Sep 2008 18:44:49 +0300
<20080916184449 at mail.mosesnet.net>

AS      | IP               | AS Name
5486    | 213.8.116.213    | SMILE-ASN Euronet Digital Communications,
(1992) LTD, Israel

212.24.224.148 mail4.saudiconstco.com.
Connected to 212.24.224.148.
+OK wplesk.zajil.net Merak 8.3.6 POP3 Tue, 16 Sep 2008 18:44:24 +0300
<20080916184424 at wplesk.zajil.net>

AS      | IP               | AS Name
29255   | 212.24.224.148   | ZAJIL-AS ZAJIL Autonomous Number in Saudi
Arabia

We're investigating for now, but can share some logs if someone in those
regions (or ISPs of the hosts) cares to investigate on their end.

Regards,

Chris
TELUS - ASN852
> ----------- nsp-security Confidential --------
> 
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list