Port Details: Port 25

Graph

[show ascii data]

Port Information

Protocol	Service	Name
udp	smtp	Simple Mail Transfer
tcp	smtp	Simple Mail Transfer
tcp	WinPC	[trojan] WinPC
tcp	MoscowEmailtrojan	[trojan] Moscow Email trojan
tcp	Naebi	[trojan] Naebi
tcp	NewAptworm	[trojan] NewApt worm
tcp	ProMailtrojan	[trojan] ProMail trojan
tcp	Shtirlitz	[trojan] Shtirlitz
tcp	WinSpy	[trojan] WinSpy
tcp	Stealth	[trojan] Stealth
tcp	Stukach	[trojan] Stukach
tcp	Tapiras	[trojan] Tapiras
tcp	Terminator	[trojan] Terminator
tcp	MBT	[trojan] MBT (Mail Bombing Trojan)
tcp	MBTMailBombingTrojan	[trojan] MBT (Mail Bombing Trojan)
tcp	MagicHorse	[trojan] Magic Horse
tcp	Antigen	[trojan] Antigen
tcp	Barok	[trojan] Barok
tcp	BSE	[trojan] BSE
tcp	EmailPasswordSender	[trojan] Email Password Sender - EPS
tcp	EPSII	[trojan] EPS II
tcp	Gip	[trojan] Gip
tcp	Gris	[trojan] Gris
tcp	Happy99	[trojan] Happy99
tcp	Hpteammail	[trojan] Hpteam mail
tcp	Hybris	[trojan] Hybris
tcp	Iloveyou	[trojan] I love you
tcp	Kuang2	[trojan] Kuang2
tcp	Ajan	[trojan] Ajan

[get complete service list]

User Comment

Submitted By	Date
Comment
Richard Ashford - www.insysnet.com	2004-10-28 05:16:21
There has been a significant rise in SMTP port 25 traffic likely due to the Netsky and Bagle worms (notice the SMTP absolute figures over the past 40 days). Mail servers across the internet appear to be being bombarded. I have also seen an affect on a number of websites - my assumption is that unpatched systems and badly configured firewalls are allowing out internal traffic on port 25 to spread the worm variants - this outgoing traffic is disrupting outgoing web server traffic. I have noticed problems with a number of different ISPs and with some of clients with mail servers directly on the internet. I believe that the Virus vendors have significantly under-estimated the distribution of these mass-email worms. Apart from the obvious patches and up-to-date Virus software, my advice is close down outgoing port 25 to all but internal mail servers and ensure all mail is routed through the internal servers - this will prevent any infected systems from spreading the worm further. Let's hope this settles down over the next few days, otherwise it has the potential to bring the internet to it's knees.
Marcus H. Sachs, SANS Institute	2003-10-10 00:34:57
SANS Top-20 Entry: U6 Sendmail http://isc.sans.org/top20.html#u6 Sendmail is the program that sends, receives, and forwards most electronic mail processed on UNIX and Linux systems. Sendmail is the most popular Mail Transfer Agent (MTA) and its widespread use on the Internet has historically made it a prime target of attackers, resulting in numerous exploits over the years. Most of these exploits are successful only against older or unpatched versions of the software. Despite the fact that the known vulnerabilities are well documented and have been repaired in newer releases, there remain so many outdated or misconfigured versions still in use today that Sendmail remains one of the most frequently attacked services. Among the most recent critical vulnerabilities are: CERT Advisory CA-2003-12 Buffer Overflow in Sendmail CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail CERT Advisory CA-2003-25 Buffer Overflow in Sendmail

Add a comment

CVE Links

CVE #	Description
CVE-1999-95	"The debug command in Sendmail is enabled
CVE-1999-96	"Sendmail decode alias can be used to overwrite sensitive files."
CVE-1999-203	"In Sendmail
CVE-1999-204	"Sendmail 8.6.9 allows remote attackers to execute root commands
CVE-1999-204	"Sendmail 8.6.9 allows remote attackers to execute root commands
CVE-1999-207	"Remote attacker can execute commands through Majordomo using the Reply-To field and a ""lists"" command."
CVE-1999-261	"Netmanager Chameleon SMTPd has several buffer overflows that cause a crash."
CVE-1999-404	"Buffer overflow in the Mail-Max SMTP server for Windows systems allows remote command execution."
CVE-1999-531	"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate is solely about a configuration that does not directly introduce security vulnerabilities
CVE-1999-1200	"Vintra SMTP MailServer allows remote attackers to cause a denial of service via a malformed ""EXPN *@"" command."
CVE-2000-42	"Buffer overflow in CSM mail server allows remote attackers to cause a denial of service or execute commands via a long HELO command."
CVE-2000-343	"Buffer overflow in Sniffit 0.3.x with the -L logging option enabled allows remote attackers to execute arbitrary commands via a long MAIL FROM mail header."
CVE-2000-490	"Buffer overflow in the NetWin DSMTP 2.7q in the NetWin dmail package allows remote attackers to execute arbitrary commands via a long ETRN request."
CVE-2000-1006	"Microsoft Exchange Server 5.5 does not properly handle a MIME header with a blank charset specified
CVE-2001-260	"Buffer overflow in Lotus Domino Mail Server 5.0.5 and earlier allows a remote attacker to crash the server or execute arbitrary code via a long ""RCPT TO"" command."
CVE-2002-1337	"Buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields
CVE-2003-161	"The prescan() function in the address parser (parseaddr.c) in Sendmail before 8.12.9 does not properly handle certain conversions from char and int types
CVE-2003-714	"The Internet Mail Service in Exchange Server 5.5 and Exchange 2000 allows remote attackers to cause a denial of service (memory exhaustion) by directly connecting to the SMTP service and sending a certain extended verb request
CVE-2003-719	"Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library
CVE-2004-120	"The Microsoft Secure Sockets Layer (SSL) library
CVE-2004-333	"Buffer overflow in the UUDeview package
CVE-2004-399	"Stack-based buffer overflow in Exim 3.35
CVE-2004-400	"Stack-based buffer overflow in Exim 4 before 4.33