[nsp-sec] Merak Mail server, TCP/32000 scanning

Chris Calvert Chris.Calvert at telus.com
Tue Sep 16 17:00:55 EDT 2008 

 That is pretty much where we were at a while ago, starting to see some traffic, checked out the trend at SANS, and identified possible links to some old vulnerabilities.  The Merak/IceWarp angle is new, and discovered when another trend emerged: it appears that there is more scanning activity from
the Middle East.

Right now, the pet theory is that these hosts are compromised and being used to scan for other hosts to use as proxies, etc.

Some of the scanning is typical SYN probes, while there is some evidence of xmas tree scanning.

ATLAS has some nice detail on this... All three hosts I mentioned are in the top 5.  We've also picked up the #1 and #2 scanning source. 

Chris

> -----Original Message-----
> From: Smith, Donald [mailto:Donald.Smith at qwest.com] 
> Sent: Tuesday, September 16, 2008 1:24 PM
> To: Chris Calvert; nsp-security at puck.nether.net
> Subject: RE: [nsp-sec] Merak Mail server, TCP/32000 scanning
> 
> Chris, I have seen something like this in the past reported to the
> handlers group and recall googling about it but not reaching a
> conclusion.
> 
> However when I looked at the ports list at isc.sans.org I see several
> LARGE spike in targets while sources are a bit spiky but range in the
> 6-30 range.
> http://isc.sans.org/port.html?port=32000
> 
> # portascii.html 
> # Start Date: 2008-08-17 
> # End Date: 2008-09-16
> # Port: 32000
> # created: Tue, 16 Sep 2008 19:19:25 +0000
> # Date in GMT. YYYY-MM-DD format.
> 
> date	records	targets	sources	tcpratio
> 2008-08-17	4240	2474	28	100
> 2008-08-18	28986	24043	22	100
> 2008-08-19	1127	374	24	100
> 2008-08-20	801	275	26	80
> 2008-08-21	1097	476	21	100
> 2008-08-22	827	364	24	100
> 2008-08-23	424	193	13	100
> 2008-08-24	561	274	15	100
> 2008-08-25	753	253	17	100
> 2008-08-26	669	226	19	100
> 2008-08-27	766	233	23	100
> 2008-08-28	709	223	19	100
> 2008-08-29	894	195	19	100
> 2008-08-30	433	152	21	99
> 2008-08-31	624	138	21	100
> 2008-09-01	664	183	28	100
> 2008-09-02	5782	1850	23	100
> 2008-09-03	1552	336	24	100
> 2008-09-04	1073	278	25	100
> 2008-09-05	1108	361	24	100
> 2008-09-06	1187	650	23	100
> 2008-09-07	1911	502	24	100
> 2008-09-08	1315	294	24	98
> 2008-09-09	21751	20173	30	100
> 2008-09-10	1614	535	27	100
> 2008-09-11	986	294	28	100
> 2008-09-12	2227	1402	22	100
> 2008-09-13	807	339	25	100
> 2008-09-14	1089	243	31	100
> 2008-09-15	1036	241	31	100
> 2008-09-16	409	131	23	99
> # (c) SANS Inst. / DShield. some rights reserved.
> # Creative Commons ShareAlike License 2.5
> # http://creativecommons.org/licenses/by-nc-sa/2.5/  
> 
> Security through obscurity WORKS against some worms and ssh attacks:)
> Donald.Smith at qwest.com giac 
> 
> > -----Original Message-----
> > From: nsp-security-bounces at puck.nether.net 
> > [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> > Chris Calvert
> > Sent: Tuesday, September 16, 2008 10:18 AM
> > To: nsp-security at puck.nether.net
> > Subject: [nsp-sec] Merak Mail server, TCP/32000 scanning
> > 
> We've seen what appears to be scanning behaviour from a few hosts,
> geographically distributed, some running versions of 8.x of Merak mail
> server.  They're hitting a number of IP addresses on TCP/32000.
> 
> Is anyone familiar with Merak Mailserver (aka IceWarp)?
> 
> http://www.merakserver.ca
> http://www.merakserver.ca/about_us/
> http://www.icewarp.com/
> http://www.icewarp.com/products/icewarp_email_server_software/
> index.php
> 
> Interestingly, there were vulnerabilities in older versions of Merak
> relevant to that port in the past:
> http://osvdb.org/9045
> 
> ... And something a bit more recent:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4559
> 
> "Description
> mail/include.html in IceWarp Web Mail 5.5.1, as used by Merak Mail
> Server
> 8.3.0r and VisNetic Mail Server version 8.3.0 build 1, does 
> not properly
> initialize the default_layout and layout_settings variables when an
> unrecognized HTTP_USER_AGENT string is provided, which allows remote
> attackers to access arbitrary files via a request with an unrecognized
> User
> Agent that also specifies the desired default_layout and 
> layout_settings
> parameters. "
> 
> Looks like TCP/32000 is the remote management port, and this could be
> scanning for systems that could be leveraged as http proxies.
> 
> So far, we've seen hosts in Jerusalem (213.8.116.213, 
> mail.mosesnet.net,
> AS5486), Saudi Arabia (212.24.224.148, 
> mail4.saudiconstco.com, AS29255),
> and
> another in Australia (129.180.224.250, mail.unepartnerships.edu.au,
> AS24101), all appear to be mailservers for at least one 
> domain.  Look at
> recent raw flows, we get a number of flows that are probably just
> ephemeral
> port matches, but a few hosts are definitely looking for 
> hosts listening
> on
> TCP/3200.
> 
> 129.180.224.250 mail.unepartnerships.edu.au. 
> Connected to 129.180.224.250.
> +OK unepartnerships.edu.au Merak 8.0.3 POP3 Wed, 17 Sep 2008 01:45:49
> +1000
> <20080917014549 at unepartnerships.edu.au>
> 
> AS      | IP               | AS Name
> 24101   | 129.180.224.250  | UNE-AS-AP University of New England
> 
> 213.8.116.213 mail.mosesnet.net.
> Connected to 213.8.116.213.
> +OK mail.mosesnet.net Merak 8.0.3 POP3 Tue, 16 Sep 2008 18:44:49 +0300
> <20080916184449 at mail.mosesnet.net>
> 
> AS      | IP               | AS Name
> 5486    | 213.8.116.213    | SMILE-ASN Euronet Digital Communications,
> (1992) LTD, Israel
> 
> 212.24.224.148 mail4.saudiconstco.com.
> Connected to 212.24.224.148.
> +OK wplesk.zajil.net Merak 8.3.6 POP3 Tue, 16 Sep 2008 18:44:24 +0300
> <20080916184424 at wplesk.zajil.net>
> 
> AS      | IP               | AS Name
> 29255   | 212.24.224.148   | ZAJIL-AS ZAJIL Autonomous Number in Saudi
> Arabia
> 
> We're investigating for now, but can share some logs if 
> someone in those
> regions (or ISPs of the hosts) cares to investigate on their end.
> 
> Regards,
> 
> Chris
> TELUS - ASN852
> > ----------- nsp-security Confidential --------
> > 
> > 
> 
> 
> This communication is the property of Qwest and may contain 
> confidential or
> privileged information. Unauthorized use of this 
> communication is strictly 
> prohibited and may be unlawful.  If you have received this 
> communication 
> in error, please immediately notify the sender by reply 
> e-mail and destroy 
> all copies of the communication and any attachments.
>

More information about the nsp-security mailing list