Mailing List SIMS@mail.stalker.com Message #14227
From: Bill Cole <listbill@scconsult.com>
Subject: Re: Log interpretation for strange SMTP session
Date: Thu, 5 Feb 2004 12:13:57 -0500
To: SIMS Discussions <SIMS@mail.stalker.com>
At 10:28 AM -0600 2/5/04, NetHead  imposed structure on a stream of electrons, yielding:
Wasn't it SIMS Discussions SIMS@mail.stalker.com who once said...

Date: Wed, 4 Feb 2004 10:36:48 -0500
From: Bill Cole <listbill@scconsult.com>
Subject: Re: Log interpretation for strange SMTP session


At 9:04 AM -0600 2/4/04, NetHead  imposed structure on a stream of
electrons, yielding:
I was doing some review of my logs and stumbled upon a series of entries
that has me baffled.  Here is the log segment:

[snip]
17:06:19 4 SMTP-947(idfanet.idfa.org) Sending 'Password:'
17:06:19 4 SMTP-947(idfanet.idfa.org) Sending 334 UGFzc3dvcmQ6\r\n
17:06:19 5 SMTP-947(idfanet.idfa.org) OT 18 of 18 bytes sent, Flags=0
17:06:19 5 SMTP-947(idfanet.idfa.org) Received 18 bytes
17:06:19 4 SMTP-947(idfanet.idfa.org) Input Line: ZGV5enF3ZHlMZQ==\r
[snip]

Bill, you da man!

But another quick question. Is it reasonable to assume then that the
string, "Sending 334 UGFzc3dvcmQ6\r\n" is the password? If so, that is
frightening. Even if it is an "encryption", that seems fairly crackable
to someone with the proper knowledge and resources (and don't all these
virus writers seem to have too much of both on their hands?).

This is actually a little more complex...

SIMS says "334 UGFzc3dvcmQ6" which is a prompt. If you base64 decode "UGFzc3dvcmQ6" you get the string "Password:"  In response it gets the string "ZGV5enF3ZHlMZQ==" which decodes to "deyzqwdyLe"

Note that base64 is not encryption, it is transport armoring. It is used in the 'LOGIN' form of SMTP AUTH to assure that everything said by both sides is protected from any idiosyncrasies of transport or locate character limitations.

[...]
It looks like their MTA is set up to try AUTH all the time no matter
what. Very dumb, but it does not look malicious. Note the "Resources
open failed" line which indicates that they were trying to log in
with a username that looks like an LDAP record. De-escaping that
string results in "cn=mail-idfanet.idfa.org, cn=idfanet.idfa.org,
ou=Netscape Servers, o=idfa.org"


De-escaping... that's a pretty neat trick. Do you have a tool that does
that or did you just do it in your head?

I have to look at the ASCII table. Easy to find, since most Unix machines (including any OSX box) have a man page with it: 'man ascii' gets me the table and the only escaped characters there are repetitive so it's pretty easy to do 'by hand.'


{cn\3Dmail-idfanet.idfa.org\2C\20cn\3Didfanet.idfa.org\2C\20ou\3DNetscape\2
0Servers\2C\20o\3Didfa.org} AUTH failed: password(deyzqwdyLe) is wrong.

Looking at the string you reference, is the "deyzqwdyLe" merely an
encryption of the password? or the actual string transmitted as the
password? Again, very scary!

That's the password. It is sent base64-encoded but that's the only protection.

Given that this mailing list is archived on the web, it becomes more important with every message in this thread that you contact whoever you know at IDFA and explain what they are doing, and that *AT LEAST* they need to change that password.
--
Bill Cole
bill@scconsult.com

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster