Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC Port Details:


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Graph

[show ascii data]
Graph Criteria
  • Start Date:
  • End Date:
  • Port:
  • Left Y Axis:
  • Right Y Axis:

Port Information

Protocol Service Name
udp smtp Simple Mail Transfer
tcp smtp Simple Mail Transfer
tcp WinPC [trojan] WinPC
tcp MoscowEmailtrojan [trojan] Moscow Email trojan
tcp Naebi [trojan] Naebi
tcp NewAptworm [trojan] NewApt worm
tcp ProMailtrojan [trojan] ProMail trojan
tcp Shtirlitz [trojan] Shtirlitz
tcp WinSpy [trojan] WinSpy
tcp Stealth [trojan] Stealth
tcp Stukach [trojan] Stukach
tcp Tapiras [trojan] Tapiras
tcp Terminator [trojan] Terminator
tcp MBT [trojan] MBT (Mail Bombing Trojan)
tcp MBTMailBombingTrojan [trojan] MBT (Mail Bombing Trojan)
tcp MagicHorse [trojan] Magic Horse
tcp Antigen [trojan] Antigen
tcp Barok [trojan] Barok
tcp BSE [trojan] BSE
tcp EmailPasswordSender [trojan] Email Password Sender - EPS
tcp EPSII [trojan] EPS II
tcp Gip [trojan] Gip
tcp Gris [trojan] Gris
tcp Happy99 [trojan] Happy99
tcp Hpteammail [trojan] Hpteam mail
tcp Hybris [trojan] Hybris
tcp Iloveyou [trojan] I love you
tcp Kuang2 [trojan] Kuang2
tcp Ajan [trojan] Ajan
[get complete service list]

User Comment

Submitted By Date
Comment
Richard Ashford - www.insysnet.com 2004-10-28 05:16:21
There has been a significant rise in SMTP port 25 traffic likely due to the Netsky and Bagle worms (notice the SMTP absolute figures over the past 40 days). Mail servers across the internet appear to be being bombarded. I have also seen an affect on a number of websites - my assumption is that unpatched systems and badly configured firewalls are allowing out internal traffic on port 25 to spread the worm variants - this outgoing traffic is disrupting outgoing web server traffic. I have noticed problems with a number of different ISPs and with some of clients with mail servers directly on the internet. I believe that the Virus vendors have significantly under-estimated the distribution of these mass-email worms. Apart from the obvious patches and up-to-date Virus software, my advice is close down outgoing port 25 to all but internal mail servers and ensure all mail is routed through the internal servers - this will prevent any infected systems from spreading the worm further. Let's hope this settles down over the next few days, otherwise it has the potential to bring the internet to it's knees.
Marcus H. Sachs, SANS Institute 2003-10-10 00:34:57
SANS Top-20 Entry: U6 Sendmail http://isc.sans.org/top20.html#u6 Sendmail is the program that sends, receives, and forwards most electronic mail processed on UNIX and Linux systems. Sendmail is the most popular Mail Transfer Agent (MTA) and its widespread use on the Internet has historically made it a prime target of attackers, resulting in numerous exploits over the years. Most of these exploits are successful only against older or unpatched versions of the software. Despite the fact that the known vulnerabilities are well documented and have been repaired in newer releases, there remain so many outdated or misconfigured versions still in use today that Sendmail remains one of the most frequently attacked services. Among the most recent critical vulnerabilities are: CERT Advisory CA-2003-12 Buffer Overflow in Sendmail CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail CERT Advisory CA-2003-25 Buffer Overflow in Sendmail
Add a comment

CVE Links

CVE # Description
CVE-1999-95 "The debug command in Sendmail is enabled
CVE-1999-96 "Sendmail decode alias can be used to overwrite sensitive files."
CVE-1999-203 "In Sendmail
CVE-1999-204 "Sendmail 8.6.9 allows remote attackers to execute root commands
CVE-1999-204 "Sendmail 8.6.9 allows remote attackers to execute root commands
CVE-1999-207 "Remote attacker can execute commands through Majordomo using the Reply-To field and a ""lists"" command."
CVE-1999-261 "Netmanager Chameleon SMTPd has several buffer overflows that cause a crash."
CVE-1999-404 "Buffer overflow in the Mail-Max SMTP server for Windows systems allows remote command execution."
CVE-1999-531 "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities
CVE-1999-1200 "Vintra SMTP MailServer allows remote attackers to cause a denial of service via a malformed ""EXPN *@"" command."
CVE-2000-42 "Buffer overflow in CSM mail server allows remote attackers to cause a denial of service or execute commands via a long HELO command."
CVE-2000-343 "Buffer overflow in Sniffit 0.3.x with the -L logging option enabled allows remote attackers to execute arbitrary commands via a long MAIL FROM mail header."
CVE-2000-490 "Buffer overflow in the NetWin DSMTP 2.7q in the NetWin dmail package allows remote attackers to execute arbitrary commands via a long ETRN request."
CVE-2000-1006 "Microsoft Exchange Server 5.5 does not properly handle a MIME header with a blank charset specified
CVE-2001-260 "Buffer overflow in Lotus Domino Mail Server 5.0.5 and earlier allows a remote attacker to crash the server or execute arbitrary code via a long ""RCPT TO"" command."
CVE-2002-1337 "Buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields
CVE-2003-161 "The prescan() function in the address parser (parseaddr.c) in Sendmail before 8.12.9 does not properly handle certain conversions from char and int types
CVE-2003-714 "The Internet Mail Service in Exchange Server 5.5 and Exchange 2000 allows remote attackers to cause a denial of service (memory exhaustion) by directly connecting to the SMTP service and sending a certain extended verb request
CVE-2003-719 "Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library
CVE-2004-120 "The Microsoft Secure Sockets Layer (SSL) library
CVE-2004-333 "Buffer overflow in the UUDeview package
CVE-2004-399 "Stack-based buffer overflow in Exim 3.35
CVE-2004-400 "Stack-based buffer overflow in Exim 4 before 4.33