Wireshark Hacker Discovery Tour-Broiler mail server

Wireshark Hacker Discovery Tour-Broiler mail server Poly Front Lab2015/07/06 10:45

0x00 background

Broiler, also known as a puppet machine, refers to a machine that can be remotely controlled by hackers. Once it becomes a broiler, it can be exploited by attackers, such as stealing data, launching attacks again, destroying, and so on. Below will use Wireshark to learn the purpose of a broiler: advertising spam sending station.

0x01 found problems

In the security detection of an enterprise server cluster, it is found that the client one server (10.190.214.130) has an exception, from its communication behavior should be a free server. After a period of capture packet acquisition, the data of the Protocol statistical discovery, basically are the SMTP protocol.

The SMTP protocol is a mail transfer protocol for messages. There are two scenarios in which this protocol normally occurs:

1, the user sends the message to produce. 2, the mail server normal communication generated.

This IP address belongs to the server, so it is certain that non-individual users use the PC to send mail.

So this is a mail server? If so, why are there only SMTP protocols, POP3, HTTP, IMAP, and so on?

With questions we counted the data IP, port and other information:

Statistics show that all communication is the SMTP protocol with 61.158.163.126 (Henan Sanmenxia), and the server (10.190.214.130) Open the TCP25 port, it is indeed a mail server.

Here, a lot of security analysts or monitoring analysis software stops. The reason is that the IP is reasonable, logic is reasonable, the SMTP protocol rarely attacks the behavior, thought is a normal mail communication behavior. Unfortunately, you will miss a moderate security threat event.

Professional sensitivity tell me that it is not a reasonable mail server. This time it is necessary to use the analysis of the application layer to see its communication behavior. Keep looking at the data for the SMTP login process.

From the data, the mailbox landed successfully, right click Follow Tcpstream can see the full login information.

334 Vxnlcm5hbwu6          //Base64 decoded as: "Username:" ywrtaw4=//user  Input user name, Base Base64 decoded as: "admin" 334 ugfzc3dvcmq6         // Base64 decoding is: "Password:" ywrtaw4=  //user input password, Base Base64 decoding: "Admin" 235 authentication successful.  Authentication successful mail From:<[email protected]>  //mail sent from ...

This data shows: 61.158.163.126 through the SMTP protocol, using the user name admin, password admin, successfully landed mail server 10.190.214.30, mail server domain name is @system.mail, and use [email Protected] Send mail.

A look at the user name, password, mailbox, found the problem:

1. Admin account will not be managed by Internet login.

2, "Two goods" administrator will be the admin account to set the password.

3, the domain name @system.mail has no relation with the customer.

Obviously, this is a controlled mail server-"Broiler mail Server".

0X02 Behavior Tracking

Found the problem, the next step to track its behavior, the broiler server is what exactly. View follow Tcpstream complete information can be found: this is a [email protected] bulk mail, the recipient includes: [email protected], [email protected], [email protected] Wait for 10 people (with QQ mailbox temporarily erase, the reason see last), the content of the message is not many.

To see the full message content, we can click Save As to save as x.eml and open it with a mail client such as Outlook.

A look at the mail, all the mysteries have been solved. The message content is a "clever tiger" advertising spam, the server was controlled by the attacker to create a mail server for the spam sending station. Restore some other messages in the same way:

You can see the message content is exactly the same, from the previous figure can be seen in the short time of monitoring the SMTP protocol has dozens of sessions, it is said to send dozens of messages, involving hundreds of people mailbox. The domain name http://url7.me/HnhV1 in the message will jump to the ad page of the Smart Tiger product when it is opened.

0X03 Analysis Conclusion

1, the server by simple detection, open a large number of high-risk ports such as tcp25/110/445/135/3389/139, so the attack control is inevitable.

2, the server has been controlled to create a broiler mail server (winwebmail), the mail server domain name is @system.mail, by 61.158.163.126 (Henan Province Sanmenxia Shi) use [email protected] User login, Spam is sent out through the mail client or through dedicated software.

3, simple Baidu, a lot of people will often receive from [email protected] spam, and today finally clarified its ins and outs.

4, spam is not sent casually, is very targeted. Qiao Tiger is a child product, from the QQ number to accept the mail randomly selected 4-bit query data found to send the object may be young mom and dad.

Disclaimer: The article appears IP, e-mail address and other information are security monitoring, attack prevention learning exchange use, do not use for other purposes, otherwise the responsibility.

0x04 Follow-up article preliminary design

For the following article content, the preliminary design Wireshark hacker discovery Journey-Brute force hack, port Scan, Web vulnerability Scan, Web exploit, phishing, phishing, database attack, mail system attack, Web-based intranet infiltration, etc. However, it may be adjusted slightly depending on the time, the setting of the experimental environment, etc. (By:Mr.Right, K0r4dji)

Favorite Share

God Pen Liang 2015-12-04 23:38:58

Worth Learning

ReplyPea 2015-09-06 17:00:57

It is estimated that CPA is to earn commission, a 6 yuan

Replyevethunder 2015-07-27 11:43:24

Very powerful, indeed have study.

ReplyLittle brother 2015-07-23 10:25:23

You've learned a new posture! In the past, when the emergency response to the people to the log what drops are cleared, completely no clue to go on.

Replybugmeout 2015-07-08 12:37:18

Nice, just like a novel.

Replyfvckyou 2015-07-07 17:05:05

Great location.

ReplyPoly-Feng Laboratory 2015-07-06 23:04:40

@cmxz I think there are two uses: 1, each send spam email to send thousands or more, so generally need a server performance to quickly processing, small He Cai fancy the other people idle server. 2, Broiler mail server also has the function of VPS, can better hide the sender's IP address. It doesn't matter if it is filtered by other mail servers and whether it is made with broilers.

Replycmxz 2015-07-06 17:29:20

What are the advantages of using Chicken's IP to send mail? Just a new IP, and the other mail servers are dumped directly into the trash bin?

Back to the poly-Feng Lab

Thanks to the Licensing page template

Wireshark Hacker Discovery Tour-Broiler mail server