pop3 smtp

Message

Bornio · Post by **Bornio** » Sun Mar 11, 2007 7:19 pm

I intercepted this from a trojan that infected me, and I am not exactly sure what this means.

250 2.1.0 Flushed 35si6742153wra
250 2.0.0 OK 1173624242 35si6742153wra

Does anybody know what "Flushed" means, and what is the value after it?
Same for the 2 values after "OK" ?

Thank you.

elgato319 · Post by **elgato319** » Tue Mar 13, 2007 11:03 am

Sounds like SMTP or SMTP Auth.

Got some more logs?

Bornio · Post by **Bornio** » Tue Mar 13, 2007 11:11 am

i am curios if its the username and password there, and they are hashed.
and if they are, who hashes them? is it done local or server side, etc.

elgato319 · Post by **elgato319** » Tue Mar 13, 2007 12:23 pm

They could be hashed (base64/md5/sha-1)
or even plain text.

hard to tell

edit: those are not base64 encoded

Bornio · Post by **Bornio** » Tue Mar 13, 2007 12:30 pm

the question is, hashed/encoded Where?
When I auth to the server, at some point, I have to enter the username/password in cleartext.
It just does not sound logical that an already (Pre)Hashed password is being sent for checking.

timeBandit · Post by **timeBandit** » Tue Mar 13, 2007 12:31 pm

Bornio wrote:I intercepted this from a trojan that infected me, and I am not exactly sure what this means.
Code: Select all
250 2.0.0 OK 1173624242 35si6742153wra
Does anybody know what ... the 2 values after "OK" [mean]?

The first value is a UNIX timestamp: 1173624242 -> Sun, 11 Mar 2007 14:44:02 GMT. Can't help you with the second, but your SMTP server's documentation will probably explain the details logged for the 200, 210 and/or 250 error codes.

Bornio · Post by **Bornio** » Tue Mar 13, 2007 12:47 pm

I dont have the documentation for Google SMTP client

Bornio · Post by **Bornio** » Tue Mar 13, 2007 3:07 pm

Let me try the question another way:
Does anybody knows if its possible to auth to google mail with prehashed password. I already send the username, now its up to the server to compare my server stored hash pass to my local, just-sent hash pass.

Any ideas?

elgato319 · Post by **elgato319** » Tue Mar 13, 2007 3:11 pm

Code: Select all

220 smtp.google.com ESMTP
ehlo bla.com
250-smtp.google.com Hello
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 20000000
250-STARTTLS
250-DELIVERBY
250 HELP

looks like google's smtp needs to be authenticated via TLS first.
after this you may send a cleartext password, because the line is encrypted

timeBandit · Post by **timeBandit** » Tue Mar 13, 2007 3:52 pm

Bornio wrote:I dont have the documentation for Google SMTP client

You didn't previously name the specific source.

Bornio · Post by **Bornio** » Tue Mar 13, 2007 5:02 pm

you are right sorry.
That sniffed traffic is from a trojan, which once I got infected it sends some stuff to some gmail account. the sniffer showed that, while i was (clearly) hoping to get the clear text password. I am curios how the authentication is done and how I can find out the true password....

timeBandit · Post by **timeBandit** » Tue Mar 13, 2007 5:22 pm

Bornio wrote:That sniffed traffic is from a trojan, which once I got infected it sends some stuff to some gmail account. the sniffer showed that, while i was (clearly) hoping to get the clear text password.

Based on elgato319's comment that Gmail authentication appears to be in clear text: if you have the Gmail address the bot contacts, did you try to log in using the supposed hash as the actual password? Maybe it only looks like a hash...?

Bornio · Post by **Bornio** » Tue Mar 13, 2007 5:48 pm

thought about it. its not.

pop3 smtp

pop3 smtp

Re: pop3 smtp