Intruder using SMTP to send traffic while port 25 closed

flashl · 08-27-2008, 05:27 PM

chort, iptables

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  71.71.63.106         0.0.0.0/0           
DROP       all  --  220.110.144.156      0.0.0.0/0           
DROP       all  --  221.224.78.240       0.0.0.0/0           
DROP       all  --  221.224.78.229       0.0.0.0/0           
ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0           tcp flags:!0x17/0x02 
ACCEPT     udp  --  127.0.0.1            0.0.0.0/0           
ACCEPT     tcp  --  64.183.63.43         0.0.0.0/0           tcp flags:!0x17/0x02 
ACCEPT     udp  --  64.183.63.43         0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5 
DROP       all  --  0.0.0.0/0            255.255.255.255     
DROP       all  --  0.0.0.0/0            64.183.63.255       
DROP       all  --  255.255.255.255      0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0             
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
LSI        all  -f  0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 
INBOUND    all  --  0.0.0.0/0            0.0.0.0/0           
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Input' 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  71.71.63.106         0.0.0.0/0           
DROP       all  --  220.110.144.156      0.0.0.0/0           
DROP       all  --  221.224.78.240       0.0.0.0/0           
DROP       all  --  221.224.78.229       0.0.0.0/0           
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           limit: avg 10/sec burst 5 
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Forward' 

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  64.183.63.43         127.0.0.1           tcp dpt:53 
ACCEPT     udp  --  64.183.63.43         127.0.0.1           udp dpt:53 
ACCEPT     tcp  --  64.183.63.43         64.183.63.43        tcp dpt:53 
ACCEPT     udp  --  64.183.63.43         64.183.63.43        udp dpt:53 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  255.255.255.255      0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0             
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID 
OUTBOUND   all  --  0.0.0.0/0            0.0.0.0/0           
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Unknown Output' 

Chain INBOUND (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     all  --  64.183.63.44         0.0.0.0/0           
ACCEPT     all  --  64.183.63.45         0.0.0.0/0           
ACCEPT     all  --  64.183.63.46         0.0.0.0/0           
ACCEPT     all  --  76.90.225.224        0.0.0.0/0           
ACCEPT     all  --  98.170.211.17        0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53 
ACCEPT     tcp  --  64.183.63.45         0.0.0.0/0           tcp dpt:25 
ACCEPT     udp  --  64.183.63.45         0.0.0.0/0           udp dpt:25 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:443 
ACCEPT     tcp  --  98.170.211.17        0.0.0.0/0           tcp dpt:22 
ACCEPT     udp  --  98.170.211.17        0.0.0.0/0           udp dpt:22 
ACCEPT     tcp  --  64.183.63.45         0.0.0.0/0           tcp dpt:514 
ACCEPT     udp  --  64.183.63.45         0.0.0.0/0           udp dpt:514 
ACCEPT     tcp  --  98.170.211.17        0.0.0.0/0           tcp dpts:5900:5903 
ACCEPT     udp  --  98.170.211.17        0.0.0.0/0           udp dpts:5900:5903 
ACCEPT     tcp  --  64.183.63.45         0.0.0.0/0           tcp dpt:3306 
ACCEPT     udp  --  64.183.63.45         0.0.0.0/0           udp dpt:3306 
ACCEPT     tcp  --  98.170.211.17        0.0.0.0/0           tcp dpt:3000 
ACCEPT     udp  --  98.170.211.17        0.0.0.0/0           udp dpt:3000 
ACCEPT     tcp  --  98.170.211.17        0.0.0.0/0           tcp dpt:3001 
ACCEPT     udp  --  98.170.211.17        0.0.0.0/0           udp dpt:3001 
LSI        all  --  0.0.0.0/0            0.0.0.0/0           

Chain LOG_FILTER (5 references)
target     prot opt source               destination         

Chain LSI (2 references)
target     prot opt source               destination         
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x02 
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x17/0x04 
LOG        icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 8 
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Inbound ' 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain LSO (0 references)
target     prot opt source               destination         
LOG_FILTER  all  --  0.0.0.0/0            0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           limit: avg 5/sec burst 5 LOG flags 0 level 6 prefix `Outbound ' 
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain OUTBOUND (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

slimm609, tcpdump

Code:

15:06:50.306533 IP 190.40.99.141.28077 > 64.183.63.46.smtp: S 1587977559:1587977559(0) win 24000 <mss 536>
15:06:52.510593 IP 190.40.99.141.28077 > 64.183.63.46.smtp: S 1587977559:1587977559(0) win 24000 <mss 536>
15:06:55.085237 IP 190.40.99.141.28077 > 64.183.63.46.smtp: S 1587977559:1587977559(0) win 24000 <mss 536>
15:06:57.356529 IP 190.40.99.141.28077 > 64.183.63.46.smtp: S 1587977559:1587977559(0) win 24000 <mss 536>
15:07:11.097471 IP 190.51.164.61.48663 > 64.183.63.45.smtp: S 1396330683:1396330683(0) win 24000 <mss 536>
15:07:11.097486 IP 64.183.63.45.smtp > 190.51.164.61.48663: S 1855467023:1855467023(0) ack 1396330684 win 5840 <mss 1460>
15:07:11.529782 IP 190.51.164.61.48663 > 64.183.63.45.smtp: . ack 1 win 24000
15:07:12.101986 IP 64.183.63.45.smtp > 190.51.164.61.48663: P 1:28(27) ack 1 win 5840
15:07:12.370887 IP 190.51.164.61.48663 > 64.183.63.45.smtp: . ack 28 win 24000
15:07:12.375473 IP 190.51.164.61.48663 > 64.183.63.45.smtp: P 1:35(34) ack 28 win 24000
15:07:12.375486 IP 64.183.63.45.smtp > 190.51.164.61.48663: . ack 35 win 5840
15:07:12.375490 IP 64.183.63.45.smtp > 190.51.164.61.48663: P 28:142(114) ack 35 win 5840
15:07:12.659992 IP 190.51.164.61.48663 > 64.183.63.45.smtp: . ack 142 win 24000
15:07:12.666677 IP 190.51.164.61.48663 > 64.183.63.45.smtp: P 35:119(84) ack 142 win 24000
15:07:12.693602 IP 64.183.63.45.smtp > 190.51.164.61.48663: P 142:270(128) ack 119 win 5840
15:07:12.972551 IP 190.51.164.61.48663 > 64.183.63.45.smtp: . ack 270 win 24000
15:07:12.973551 IP 190.51.164.61.48692 > 64.183.63.46.smtp: S 1407805853:1407805853(0) win 24000 <mss 536>
15:07:12.975643 IP 190.51.164.61.48663 > 64.183.63.45.smtp: R 119:119(0) ack 270 win 24000
15:07:15.403164 IP 190.51.164.61.48692 > 64.183.63.46.smtp: S 1407805853:1407805853(0) win 24000 <mss 536>
15:07:17.836450 IP 190.51.164.61.48692 > 64.183.63.46.smtp: S 1407805853:1407805853(0) win 24000 <mss 536>
15:07:20.278121 IP 190.51.164.61.48692 > 64.183.63.46.smtp: S 1407805853:1407805853(0) win 24000 <mss 536>
15:07:21.899285 IP 189.24.111.184.61540 > 64.183.63.46.smtp: S 3479350691:3479350691(0) win 65535 <mss 1452,nop,nop,sackOK>
15:07:22.746689 IP 190.51.164.61.48692 > 64.183.63.46.smtp: S 1407805853:1407805853(0) win 24000 <mss 536>
15:07:24.863265 IP 189.24.111.184.61540 > 64.183.63.46.smtp: S 3479350691:3479350691(0) win 65535 <mss 1452,nop,nop,sackOK>
15:07:25.196994 IP 190.51.164.61.48692 > 64.183.63.46.smtp: S 1407805853:1407805853(0) win 24000 <mss 536>
15:07:27.630322 IP 190.51.164.61.48692 > 64.183.63.46.smtp: S 1407805853:1407805853(0) win 24000 <mss 536>
15:07:27.730377 IP 119.11.7.33.48995 > 64.183.63.46.smtp: S 2196775:2196775(0) win 24000 <mss 536>
15:07:30.090045 IP 119.11.7.33.48995 > 64.183.63.46.smtp: S 2196775:2196775(0) win 24000 <mss 536>
15:07:30.824708 IP 189.24.111.184.61540 > 64.183.63.46.smtp: S 3479350691:3479350691(0) win 65535 <mss 1452,nop,nop,sackOK>
15:07:32.527319 IP 119.11.7.33.48995 > 64.183.63.46.smtp: S 2196775:2196775(0) win 24000 <mss 536>
15:07:35.068829 IP 119.11.7.33.48995 > 64.183.63.46.smtp: S 2196775:2196775(0) win 24000 <mss 536>
15:07:37.548562 IP 119.11.7.33.48995 > 64.183.63.46.smtp: S 2196775:2196775(0) win 24000 <mss 536>
15:07:39.968036 IP 119.11.7.33.48995 > 64.183.63.46.smtp: S 2196775:2196775(0) win 24000 <mss 536>
15:07:40.707543 IP 119.11.7.33.48995 > 64.183.63.46.smtp: R 2196776:2196776(0) ack 0 win 24000
15:08:00.740423 IP 91.199.123.36.60202 > 64.183.63.46.smtp: S 1637016788:1637016788(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 3741430959 0,sackOK,eol>
15:08:03.739947 IP 91.199.123.36.60202 > 64.183.63.46.smtp: S 1637016788:1637016788(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 3741433959 0,sackOK,eol>
15:08:06.939850 IP 91.199.123.36.60202 > 64.183.63.46.smtp: S 1637016788:1637016788(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 3741437159 0,sackOK,eol>
15:08:07.840622 IP 190.76.123.198.51349 > 64.183.63.43.smtp: S 1077033887:1077033887(0) win 24000 <mss 536>
15:08:09.946543 IP 190.76.123.198.51349 > 64.183.63.43.smtp: S 1077033887:1077033887(0) win 24000 <mss 536>
15:08:10.139820 IP 91.199.123.36.60202 > 64.183.63.46.smtp: S 1637016788:1637016788(0) win 65535 <mss 1460,sackOK,eol>
15:08:12.669460 IP 190.76.123.198.51349 > 64.183.63.43.smtp: S 1077033887:1077033887(0) win 24000 <mss 536>
15:08:13.339811 IP 91.199.123.36.60202 > 64.183.63.46.smtp: S 1637016788:1637016788(0) win 65535 <mss 1460,sackOK,eol>
15:08:15.572344 IP 190.76.123.198.51349 > 64.183.63.43.smtp: S 1077033887:1077033887(0) win 24000 <mss 536>
15:08:16.540252 IP 91.199.123.36.60202 > 64.183.63.46.smtp: S 1637016788:1637016788(0) win 65535 <mss 1460,sackOK,eol>
15:08:17.732817 IP 190.76.123.198.51349 > 64.183.63.43.smtp: S 1077033887:1077033887(0) win 24000 <mss 536>
15:08:19.708654 IP 190.76.123.198.51349 > 64.183.63.43.smtp: S 1077033887:1077033887(0) win 24000 <mss 536>
15:08:22.242196 IP 190.76.123.198.51349 > 64.183.63.43.smtp: S 1077033887:1077033887(0) win 24000 <mss 536>
15:08:22.694521 IP 190.76.123.198.51533 > 64.183.63.46.smtp: S 1962451711:1962451711(0) win 24000 <mss 536>
15:08:22.740222 IP 91.199.123.36.60202 > 64.183.63.46.smtp: S 1637016788:1637016788(0) win 65535 <mss 1460,sackOK,eol>
15:08:25.225460 IP 190.76.123.198.51533 > 64.183.63.46.smtp: S 1962451711:1962451711(0) win 24000 <mss 536>
15:08:27.492942 IP 190.76.123.198.51533 > 64.183.63.46.smtp: S 1962451711:1962451711(0) win 24000 <mss 536>
15:08:29.999190 IP 190.76.123.198.51533 > 64.183.63.46.smtp: S 1962451711:1962451711(0) win 24000 <mss 536>
15:08:30.742210 IP 91.199.123.36.60328 > 64.183.63.45.smtp: S 775348668:775348668(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 3741460960 0,sackOK,eol>
15:08:30.742226 IP 64.183.63.45.smtp > 91.199.123.36.60328: S 3113845989:3113845989(0) ack 775348669 win 5840 <mss 1460>
15:08:30.942909 IP 91.199.123.36.60328 > 64.183.63.45.smtp: . ack 1 win 65535
15:08:31.382510 IP 64.183.63.45.smtp > 91.199.123.36.60328: P 1:28(27) ack 1 win 5840
15:08:31.581616 IP 91.199.123.36.60328 > 64.183.63.45.smtp: P 1:38(37) ack 28 win 65535
15:08:31.581627 IP 64.183.63.45.smtp > 91.199.123.36.60328: . ack 38 win 5840
15:08:31.581633 IP 64.183.63.45.smtp > 91.199.123.36.60328: P 28:142(114) ack 38 win 5840
15:08:31.784864 IP 91.199.123.36.60328 > 64.183.63.45.smtp: P 38:168(130) ack 142 win 65535
15:08:31.812735 IP 64.183.63.45.smtp > 91.199.123.36.60328: P 142:270(128) ack 168 win 6432
15:08:32.114413 IP 91.199.123.36.60328 > 64.183.63.45.smtp: . ack 270 win 65535
15:08:32.134035 IP 91.199.123.36.60328 > 64.183.63.45.smtp: P 168:180(12) ack 270 win 65535
15:08:32.134047 IP 64.183.63.45.smtp > 91.199.123.36.60328: P 270:299(29) ack 180 win 6432
15:08:32.134586 IP 64.183.63.45.smtp > 91.199.123.36.60328: F 299:299(0) ack 180 win 6432
15:08:32.335648 IP 91.199.123.36.60328 > 64.183.63.45.smtp: . ack 270 win 65535
15:08:32.335989 IP 91.199.123.36.60328 > 64.183.63.45.smtp: . ack 300 win 65535
15:08:32.336264 IP 91.199.123.36.60328 > 64.183.63.45.smtp: F 180:180(0) ack 300 win 65535
15:08:32.336275 IP 64.183.63.45.smtp > 91.199.123.36.60328: . ack 181 win 6432
15:08:32.453786 IP 190.76.123.198.51533 > 64.183.63.46.smtp: S 1962451711:1962451711(0) win 24000 <mss 536>
15:08:35.122124 IP 190.76.123.198.51533 > 64.183.63.46.smtp: S 1962451711:1962451711(0) win 24000 <mss 536>
15:10:54.144021 IP 218.56.71.153.4329 > 64.183.63.46.smtp: S 1943794266:1943794266(0) win 64800 <mss 1440,nop,nop,sackOK>
15:10:57.067108 IP 218.56.71.153.4329 > 64.183.63.46.smtp: S 1943794266:1943794266(0) win 64800 <mss 1440,nop,nop,sackOK>
15:10:58.775638 IP 63.220.206.47.53914 > 64.183.63.46.smtp: S 1100960220:1100960220(0) win 5840 <mss 1460,sackOK,timestamp 154818828 0,nop,wscale 6>
15:11:01.773411 IP 63.220.206.47.53914 > 64.183.63.46.smtp: S 1100960220:1100960220(0) win 5840 <mss 1460,sackOK,timestamp 154819578 0,nop,wscale 6>
15:11:03.082693 IP 218.56.71.153.4329 > 64.183.63.46.smtp: S 1943794266:1943794266(0) win 64800 <mss 1440,nop,nop,sackOK>
15:11:03.774444 IP 63.220.206.48.36041 > 64.183.63.46.smtp: S 1187313536:1187313536(0) win 5840 <mss 1460,sackOK,timestamp 154820078 0,nop,wscale 6>
15:11:06.773301 IP 63.220.206.48.36041 > 64.183.63.46.smtp: S 1187313536:1187313536(0) win 5840 <mss 1460,sackOK,timestamp 154820828 0,nop,wscale 6>
15:11:08.774338 IP 63.220.206.47.56325 > 64.183.63.45.smtp: S 1263168647:1263168647(0) win 5840 <mss 1460,sackOK,timestamp 154821328 0,nop,wscale 6>
15:11:08.774351 IP 64.183.63.45.smtp > 63.220.206.47.56325: S 1294254863:1294254863(0) ack 1263168648 win 5840 <mss 1460>
15:11:08.792944 IP 63.220.206.47.56325 > 64.183.63.45.smtp: . ack 1 win 5840
15:11:08.812559 IP 64.183.63.45.smtp > 63.220.206.47.56325: P 1:28(27) ack 1 win 5840
15:11:08.829137 IP 63.220.206.47.56325 > 64.183.63.45.smtp: . ack 28 win 5840
15:11:08.829481 IP 63.220.206.47.56325 > 64.183.63.45.smtp: P 1:36(35) ack 28 win 5840
15:11:08.829493 IP 64.183.63.45.smtp > 63.220.206.47.56325: . ack 36 win 5840
15:11:08.829496 IP 64.183.63.45.smtp > 63.220.206.47.56325: P 28:49(21) ack 36 win 5840
15:11:08.844542 IP 63.220.206.47.56325 > 64.183.63.45.smtp: P 36:84(48) ack 49 win 5840
15:11:08.864842 IP 64.183.63.45.smtp > 63.220.206.47.56325: P 49:63(14) ack 84 win 5840
15:11:08.881897 IP 63.220.206.47.56325 > 64.183.63.45.smtp: P 84:118(34) ack 63 win 5840
15:11:08.921490 IP 64.183.63.45.smtp > 63.220.206.47.56325: . ack 118 win 5840
15:11:09.076589 IP 64.183.63.45.smtp > 63.220.206.47.56325: P 63:140(77) ack 118 win 5840
15:11:09.094561 IP 63.220.206.47.56325 > 64.183.63.45.smtp: P 118:124(6) ack 140 win 5840
15:11:09.094572 IP 64.183.63.45.smtp > 63.220.206.47.56325: . ack 124 win 5840
15:11:09.094577 IP 64.183.63.45.smtp > 63.220.206.47.56325: P 140:154(14) ack 124 win 5840
15:11:09.111780 IP 63.220.206.47.56325 > 64.183.63.45.smtp: P 124:130(6) ack 154 win 5840
15:11:09.111792 IP 64.183.63.45.smtp > 63.220.206.47.56325: P 154:169(15) ack 130 win 5840
15:11:09.112143 IP 63.220.206.47.56325 > 64.183.63.45.smtp: F 130:130(0) ack 154 win 5840
15:11:09.112156 IP 64.183.63.45.smtp > 63.220.206.47.56325: F 169:169(0) ack 131 win 5840
15:11:09.133409 IP 63.220.206.47.56325 > 64.183.63.45.smtp: . ack 170 win 5840
15:11:15.118526 IP 218.56.71.153.e3consultants > 64.183.63.45.smtp: S 575637313:575637313(0) win 64800 <mss 1440,nop,nop,sackOK>
15:11:15.118538 IP 64.183.63.45.smtp > 218.56.71.153.e3consultants: S 1397678468:1397678468(0) ack 575637314 win 5840 <mss 1460>
15:11:15.358250 IP 218.56.71.153.e3consultants > 64.183.63.45.smtp: . ack 1 win 64800
15:11:15.359715 IP 64.183.63.45.smtp > 218.56.71.153.e3consultants: P 1:28(27) ack 1 win 5840
15:11:15.598303 IP 218.56.71.153.e3consultants > 64.183.63.45.smtp: P 1:21(20) ack 28 win 64773
15:11:15.598314 IP 64.183.63.45.smtp > 218.56.71.153.e3consultants: . ack 21 win 5840
15:11:15.598320 IP 64.183.63.45.smtp > 218.56.71.153.e3consultants: P 28:49(21) ack 21 win 5840
15:11:15.828943 IP 218.56.71.153.e3consultants > 64.183.63.45.smtp: . ack 49 win 64752
15:11:15.846048 IP 218.56.71.153.e3consultants > 64.183.63.45.smtp: P 21:66(45) ack 49 win 64752
15:11:15.872041 IP 64.183.63.45.smtp > 218.56.71.153.e3consultants: P 49:63(14) ack 66 win 5840
15:11:16.115152 IP 218.56.71.153.e3consultants > 64.183.63.45.smtp: P 66:103(37) ack 63 win 64738
15:11:16.117231 IP 64.183.63.45.smtp > 218.56.71.153.e3consultants: P 63:139(76) ack 103 win 5840
15:11:16.382507 IP 218.56.71.153.e3consultants > 64.183.63.45.smtp: P 103:109(6) ack 139 win 64662
15:11:16.382521 IP 64.183.63.45.smtp > 218.56.71.153.e3consultants: P 139:154(15) ack 109 win 5840
15:11:16.382973 IP 64.183.63.45.smtp > 218.56.71.153.e3consultants: F 154:154(0) ack 109 win 5840
15:11:16.623867 IP 218.56.71.153.e3consultants > 64.183.63.45.smtp: . ack 139 win 64662
15:11:16.624214 IP 218.56.71.153.e3consultants > 64.183.63.45.smtp: . ack 155 win 64647
15:11:16.630045 IP 218.56.71.153.e3consultants > 64.183.63.45.smtp: F 109:109(0) ack 155 win 64647
15:11:16.630056 IP 64.183.63.45.smtp > 218.56.71.153.e3consultants: . ack 110 win 5840
15:11:32.355156 IP 201.254.56.168.55069 > 64.183.63.43.smtp: S 2285970071:2285970071(0) win 24000 <mss 536>
15:11:34.766885 IP 201.254.56.168.55069 > 64.183.63.43.smtp: S 2285970071:2285970071(0) win 24000 <mss 536>
15:11:37.688665 IP 201.254.56.168.55069 > 64.183.63.43.smtp: S 2285970071:2285970071(0) win 24000 <mss 536>
15:11:40.457683 IP 201.254.56.168.55069 > 64.183.63.43.smtp: S 2285970071:2285970071(0) win 24000 <mss 536>
15:11:43.306353 IP 201.254.56.168.55069 > 64.183.63.43.smtp: S 2285970071:2285970071(0) win 24000 <mss 536>
15:11:46.156557 IP 201.254.56.168.55069 > 64.183.63.43.smtp: S 2285970071:2285970071(0) win 24000 <mss 536>
15:11:48.884633 IP 201.254.56.168.55069 > 64.183.63.43.smtp: S 2285970071:2285970071(0) win 24000 <mss 536>
15:11:49.329872 IP 201.254.56.168.55246 > 64.183.63.46.smtp: S 2389128595:2389128595(0) win 24000 <mss 536>
15:11:52.112979 IP 201.254.56.168.55246 > 64.183.63.46.smtp: S 2389128595:2389128595(0) win 24000 <mss 536>
15:11:54.906373 IP 201.254.56.168.55246 > 64.183.63.46.smtp: S 2389128595:2389128595(0) win 24000 <mss 536>
15:11:57.706528 IP 201.254.56.168.55246 > 64.183.63.46.smtp: S 2389128595:2389128595(0) win 24000 <mss 536>
15:12:00.492192 IP 201.254.56.168.55246 > 64.183.63.46.smtp: S 2389128595:2389128595(0) win 24000 <mss 536>
15:12:03.326698 IP 201.254.56.168.55246 > 64.183.63.46.smtp: S 2389128595:2389128595(0) win 24000 <mss 536>
15:12:06.256145 IP 201.254.56.168.55246 > 64.183.63.46.smtp: S 2389128595:2389128595(0) win 24000 <mss 536>
15:12:06.648048 IP 201.240.84.4.18671 > 64.183.63.45.smtp: S 67691971:67691971(0) win 24000 <mss 536>
15:12:06.648060 IP 64.183.63.45.smtp > 201.240.84.4.18671: S 2197716074:2197716074(0) ack 67691972 win 5840 <mss 1460>
15:12:06.900236 IP 201.240.84.4.18671 > 64.183.63.45.smtp: . ack 1 win 24000
15:12:07.404930 IP 64.183.63.45.smtp > 201.240.84.4.18671: P 1:28(27) ack 1 win 5840
15:12:07.585348 IP 201.240.84.4.18671 > 64.183.63.45.smtp: . ack 28 win 24000
15:12:07.587108 IP 201.240.84.4.18671 > 64.183.63.45.smtp: P 1:41(40) ack 28 win 24000
15:12:07.587119 IP 64.183.63.45.smtp > 201.240.84.4.18671: . ack 41 win 5840
15:12:07.587124 IP 64.183.63.45.smtp > 201.240.84.4.18671: P 28:142(114) ack 41 win 5840
15:12:07.766498 IP 201.240.84.4.18671 > 64.183.63.45.smtp: . ack 142 win 24000
15:12:07.770007 IP 201.240.84.4.18671 > 64.183.63.45.smtp: P 41:110(69) ack 142 win 24000
15:12:07.804892 IP 64.183.63.45.smtp > 201.240.84.4.18671: P 142:269(127) ack 110 win 5840
15:12:07.985256 IP 201.240.84.4.18671 > 64.183.63.45.smtp: . ack 269 win 24000
15:12:07.986734 IP 201.240.84.4.18671 > 64.183.63.45.smtp: R 110:110(0) ack 269 win 24000
15:12:07.995119 IP 201.240.84.4.18697 > 64.183.63.46.smtp: S 68050681:68050681(0) win 24000 <mss 536>
15:12:10.412231 IP 201.240.84.4.18697 > 64.183.63.46.smtp: S 68050681:68050681(0) win 24000 <mss 536>
15:12:12.872794 IP 201.240.84.4.18697 > 64.183.63.46.smtp: S 68050681:68050681(0) win 24000 <mss 536>
15:12:15.339454 IP 201.240.84.4.18697 > 64.183.63.46.smtp: S 68050681:68050681(0) win 24000 <mss 536>
15:12:17.796532 IP 201.240.84.4.18697 > 64.183.63.46.smtp: S 68050681:68050681(0) win 24000 <mss 536>
15:12:20.284070 IP 201.240.84.4.18697 > 64.183.63.46.smtp: S 68050681:68050681(0) win 24000 <mss 536>
15:12:22.733840 IP 201.240.84.4.18697 > 64.183.63.46.smtp: S 68050681:68050681(0) win 24000 <mss 536>

slimm609 · 08-28-2008, 09:42 AM

Code:

15:12:06.648048 IP 201.240.84.4.18671 > 64.183.63.45.smtp: S 67691971:67691971(0) win 24000 <mss 536>
15:12:06.648060 IP 64.183.63.45.smtp > 201.240.84.4.18671: S 2197716074:2197716074(0) ack 67691972 win 5840 <mss 1460>
15:12:06.900236 IP 201.240.84.4.18671 > 64.183.63.45.smtp: . ack 1 win 24000
15:12:07.404930 IP 64.183.63.45.smtp > 201.240.84.4.18671: P 1:28(27) ack 1 win 5840
15:12:07.585348 IP 201.240.84.4.18671 > 64.183.63.45.smtp: . ack 28 win 24000
15:12:07.587108 IP 201.240.84.4.18671 > 64.183.63.45.smtp: P 1:41(40) ack 28 win 24000
15:12:07.587119 IP 64.183.63.45.smtp > 201.240.84.4.18671: . ack 41 win 5840
15:12:07.587124 IP 64.183.63.45.smtp > 201.240.84.4.18671: P 28:142(114) ack 41 win 5840
15:12:07.766498 IP 201.240.84.4.18671 > 64.183.63.45.smtp: . ack 142 win 24000
15:12:07.770007 IP 201.240.84.4.18671 > 64.183.63.45.smtp: P 41:110(69) ack 142 win 24000
15:12:07.804892 IP 64.183.63.45.smtp > 201.240.84.4.18671: P 142:269(127) ack 110 win 5840
15:12:07.985256 IP 201.240.84.4.18671 > 64.183.63.45.smtp: . ack 269 win 24000
15:12:07.986734 IP 201.240.84.4.18671 > 64.183.63.45.smtp: R 110:110(0) ack 269 win 24000

This is a full converison right there so its not 1 way.

Quote:

ACCEPT tcp -- 64.183.63.45 0.0.0.0/0 tcp dpt:25
ACCEPT udp -- 64.183.63.45 0.0.0.0/0 udp dpt:25

your server is listening on port 25 in your firewall configuration

Code:

15:08:32.453786 IP 190.76.123.198.51533 > 64.183.63.46.smtp: S 1962451711:1962451711(0) win 24000 <mss 536>
15:08:35.122124 IP 190.76.123.198.51533 > 64.183.63.46.smtp: S 1962451711:1962451711(0) win 24000 <mss 536>
15:10:54.144021 IP 218.56.71.153.4329 > 64.183.63.46.smtp: S 1943794266:1943794266(0) win 64800 <mss 1440,nop,nop,sackOK>
15:10:57.067108 IP 218.56.71.153.4329 > 64.183.63.46.smtp: S 1943794266:1943794266(0) win 64800 <mss 1440,nop,nop,sackOK>
15:10:58.775638 IP 63.220.206.47.53914 > 64.183.63.46.smtp: S 1100960220:1100960220(0) win 5840 <mss 1460,sackOK,timestamp 154818828 0,nop,wscale 6>
15:11:01.773411 IP 63.220.206.47.53914 > 64.183.63.46.smtp: S 1100960220:1100960220(0) win 5840 <mss 1460,sackOK,timestamp 154819578 0,nop,wscale 6>
15:11:03.082693 IP 218.56.71.153.4329 > 64.183.63.46.smtp: S 1943794266:1943794266(0) win 64800 <mss 1440,nop,nop,sackOK>
15:11:03.774444 IP 63.220.206.48.36041 > 64.183.63.46.smtp: S 1187313536:1187313536(0) win 5840 <mss 1460,sackOK,timestamp 154820078 0,nop,wscale 6>
15:11:06.773301 IP 63.220.206.48.36041 > 64.183.63.46.smtp: S 1187313536:1187313536(0) win 5840 <mss 1460,sackOK,timestamp 154820828 0,nop,wscale 6>

you can see it tries to reach .46 but .46 never responds and when it tries .45 it works because its allowed in your firewall.

Everything looks like to is working the way it is configured to.

unixfool · 09-03-2008, 07:38 AM

Quote:

Originally Posted by Mr. C.

Of course not - the tcpdump is campturing only dst=25, and not src=25.
The packet patterns and sizes do align with an SMTP conversation.

I think you knew what I meant. His tcpdump only showed destination port 25, not ALL port 25...his captured traffic was too specific. When you look for TCP handshaking (and after negotiation), you need to see communication between source and destination, not just destination.