WireShark hacker discovery tour-zombie email server

WireShark hacker discovery tour-zombie email server

0x00 background

Bots are also called Zombie machines, which can be remotely controlled by hackers. Once a zombie becomes a zombie, attackers can exploit it at will, for example, stealing data, initiating another attack, and destroying it. WireShark will be used together to learn the purpose of a zombie: advertising spam sending site.

0x01 fault detected

An exception occurred to the customer's server (10.190.214.130) during Security Detection on an enterprise server group. From the perspective of communication behavior, it should be an idle server. After a period of packet capture, the Protocol statistics on the Data found that basically all are SMTP protocol.

The SMTP protocol is mail transmission protocol. Under normal circumstances, this protocol has two situations:

1. the user sends an email.

2. normal communication occurs on the email server.

This IP address belongs to the server, so it is certainly not a personal user who uses a PC to send an email.

Is this an email server? If so, why only SMTP protocol, POP3, HTTP, IMAP, and so on?

With questions, we have analyzed the data's IP address, port, and other information:

Statistics show that all communications are SMTP protocols with 61.158.163.126 (Sanmenxia, Henan), and the server (10.190.214.130) opens port TCP25, which is indeed an email server.

At this point, many security analysts or monitoring and analysis software have stopped. The reason is that the IP address is reasonable, the logic is also reasonable, and the SMTP protocol rarely performs attacks, so it is a normal email communication behavior. Unfortunately, you will miss a very small security threat event.

The sensitivity of occupation tells me that it is not a reasonable email server. At this time, we need to analyze the application layer and take a look at its communication behavior. Continue to check the SMTP login process data.

The data shows that the mailbox is successfully logged on. Right-click Follow TCPStream to view the complete login information.

 
 

  
  
334 VXNlcm5hbWU6 // Base64: "Username :"
  
  
YWRtaW4 = // username entered by the user. The Base Base64 is decoded as "admin"
  
  
334 UGFzc3dvcmQ6 // Base64: "Password :"
  
  
YWRtaW4 = // password entered by the user. Base64 is decoded as "admin"
  
  
235 Authentication successful. // Authentication successful
  
  
Mail from: <admin@system.mail
  
  
/* <! [CDATA [*/! Function () {try {var t = "currentScript" in document? Document. currentScript: function () {for (var t = document. getElementsByTagName ("script"), e = t. length; e --;) if (t [e]. getAttribute ("cf-hash") return t [e]} (); if (t & t. previussibling) {var e, r, n, I, c = t. previussibling, a = c. getAttribute ("data-cfemail"); if (a) {for (e = "", r = parseInt (. substr (0, 2), 16), n = 2;. length-n; n + = 2) I = parseInt (. substr (n, 2), 16) ^ r, e + = String. fromCharCode (I); e = document. createTextNode (e), c. parentNode. r EplaceChild (e, c) }}} catch (u) {}} ();/*]> */> // The email is sent from ......
 
 

This data shows: 61.158.163.126 through SMTP protocol, using the User Name admin, password admin, successfully logged on to the mail server 10.190.214.30, the mail server domain name is @ system. mail, and send mail using the admin@system.mail.

When you look at the user name, password, and email address, you will find the problem:

1. admin accounts are generally not managed through Internet login.

2. The "two goods" Administrator will set the admin account as the password.

3. The domain name @ system. mail has nothing to do with the customer.

Obviously, this is a controlled email server-"zombie email server ".

0x02 behavior tracking

If a problem is found, follow up the behavior of the zombie server. View Follow TCPStream complete information can be found: This is a mail sent by the admin@system.mail, recipients include: www651419067@126.com, wyq0204@yahoo.com.cn, zhaocl1@163.com and other 10 people (with QQ mail temporarily erased, for the reason see the last ), there are not many emails.

To view the complete email content, you can click Save As to Save it As X. eml, and open it with a mail client such As outlook.

After reading the email, all the mysteries are solved. The email content is a "clever tiger" spam. The server is controlled by attackers to create an email server for spam sending sites. Use the same method to restore some other Emails:

It can be seen that the mail content is exactly the same. From the figure above, we can see that the SMTP protocol has dozens of sessions in a short period of time, that is, it has sent dozens of emails, involving hundreds of people in the mailbox. When the domain name http://url7.me/hnhv1is opened, the advertisement page of the clever tiger goods will be displayed.

0x03 analysis conclusion

1. After simple detection, the server opens a large number of high-risk ports such as TCP25, 110/445, 135/3389, and 139, so it is inevitable to be under attack control.

2. The server has been controlled to create a zombie email server (WinWebMail) with the domain name @ system. mail, Which is logged on by 61.158.163.126 (Sanmenxia City, Henan Province) using a admin@system.mail user, sends spam through the mail client or a dedicated software.

3, simple Baidu, many people will often receive spam from admin@system.mail, today finally figured out its ins and outs.

4. Spam is targeted because it is not sent randomly. Qiaohu is a child care product. From the QQ number that receives the email, you can randomly select four pieces of information to query and find that the recipients may all be young moms and dads.

Note: The IP address, email address, and other information in the article are used for security monitoring, attack prevention, learning, and communication. Do not use it for other purposes. Otherwise, you are solely responsible for this purpose.

0x04 preliminary design of subsequent articles

For subsequent articles, preliminary Design of WireShark hacker discovery tour-brute-force cracking, port scanning, Web vulnerability scanning, Web vulnerability exploitation, phishing, database attacks, email system attacks, Web-based intranet penetration, etc. However, it may be slightly adjusted based on the time and lab environment. (By: Mr. Right, K0r4dji)