An interesting SPAM / probe

From: Dee Holtsclaw 
------------------------------------------------------
Just noticed this forwarded from a customer's email gateway. What I find
most curious is the hack in the last "Received:" line. Notice the "ping"
with a pattern? Never seen this before and not sure what they're trying
to accomplish with it.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please just paste the plain text headers :) Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAKKx0ACgkQABP1RO+tr2TBkwCgvimEIcxWxhpwcd+gy5koy1AQ v6kAn07fD3mO+aS1cCNGDH2UuQLt7B9E =8pyc -----END PGP SIGNATURE-----

=============================================================== From: Jim Wells ------------------------------------------------------ here ya go: Return-Path: Received: from mail.tonyspestcontrolinc.com (tonyspest.com [173.165.211.25] (may be forged)) by mail.pcds.biz (8.13.8/8.13.8) with ESMTP id q6KNskqs032128 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 20 Jul 2012 19:54:47 -0400 Received: from scan9 (63-235-131-245.dia.static.qwest.net [63.235.131.245]) by mail.tonyspestcontrolinc.com (8.14.4/8.14.4) with SMTP id q6KNsVvs015419 for ; Fri, 20 Jul 2012 19:54:31 -0400 Date: Fri, 20 Jul 2012 19:54:31 -0400 Message-Id: X-Spam-Flag: YES X-Spam-Status: Yes, score=8.0 required=5.0 tests=EMPTY

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 thanks, dunno wtf was going on last night, TB wouldn't display the HTML, and the .EML attachment was 0 bytes. All shows today... /shrug. - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAKwvoACgkQABP1RO+tr2SSBQCgp0fl+AyXoRACGx8e5VOHe2Fl fk4An2D0HpJq5GRP29wBbIKVPuIqpTOp =3tea -----END PGP SIGNATURE-----

=============================================================== From: Dee Holtsclaw ------------------------------------------------------ That's coming from 63.235.131.245 which whois reports as "Security Metrics" in Orem, UT. This morning's logwatch reports successful exploit of the Apache manual -- they managed to retrieve the /etc/passwd and /etc/group files. I just removed said manual package. They did NOT get the /etc/shadow file, though one attempt to do so was logged at 6PM last night. The browser ID string reported on this was "Mozilla/4.75 (Nikto/2.1.4) (Evasions:None) (Test:002344)". Looks to me like a PCI security audit -- which is stupid since they do NOT store ANY credit card numbers in their systems. All credit card information is kept on 3x5 cards in a locked drawer and handled manually (one of the few clients I know follow my advice on this). Of course SSH is set to only permit keys for access (and root is explicitly disallowed), but they're also running Dovecot for at-home email retrieval.