Untangle internet gateway? Maybe a misunderstanding? I'd be embarrassed
if someone turned my software firewall into a botnet control server or
sth. Then again I don't have the https and ssh console's open to the
internet.
http://www.untangle.com/Product-Overview
curl -k
https://78.189.194.126/auth/login?url=/setup/welcome.do&realm=Administrator
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- MagicComment: MVTimeout -->
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Untangle Administrator Login</title>
<script type="text/javascript">if (top.location!=location)
top.location.href=document.location.href;</script>
<style type="text/css">
/* <![CDATA[ */
@import url(/images/base.css);
/* ]]> */
</style>
</head>
<body>
<div id="main" style="width: 500px; margin: 50px auto 0 auto;">
<div class="main-top-left"></div><div class="main-top-right"></div><div
class="main-mid-left"><div class="main-mid-right"><div class="main-mid">
<!-- Content Start -->
<center>
<img alt="" src="/images/BrandingLogo.gif" /><br />
<b></b><br/>
<font size="4"><b>Untangle Administrator Login</b></font>
<div style="margin: 0 auto; width: 250px; padding: 20px 0 5px;">
<form method="post" action="/auth/login?url=/setup/welcome.do">
<table><tbody>
<tr><td
style="text-align:right">Server:</td><td><em> 78.189.194.126</em></td></tr>
<tr><td style="text-align:right">Username:</td><td><input
id="username" type="text" name="username" value="admin"/></td></tr>
<tr><td style="text-align:right">Password:</td><td><input
id="password" type="password" name="password" /></td></tr>
</tbody></table>
<br />
<div style="text-align: center;"><button value="login"
type="submit">Login</button></div>
</form>
<script
type="text/javascript">document.getElementById('password').focus();</script>
</div>
</center>
<!-- Content End -->
</div></div></div><div class="main-bot-left"></div><div
class="main-bot-right"></div>
<!-- Box End -->
</div>
</body>
You wouldn't happen to have a Frank Rasmussen working there would you?
telnet 93.160.202.224 25
Trying 93.160.202.224...
Connected to 93.160.202.224 (93.160.202.224).
Escape character is '^]'.
220 mail.frankrasmussen.dk ESMTP Merak 8.0.3; Tue, 27 Apr 2010 01:44:59
+0200
z
500 5.5.1 Command unrecognized: "z"
Re: OT : Please Help Security Guys ! (Backdoor issue)
george greaves
to:
Edouard Zorrilla
04/26/10 05:14 PM
Sent by:
<nobody_at_groupstudy.com>
Cc:
security, ccielab
Please respond to george greaves
Sysinternals.com
process explorer
and
tcpview.exe
On Mon, Apr 26, 2010 at 12:53 PM, Edouard Zorrilla
<ezorrilla_at_tsf.com.pe>wrote:
> Hi,
>
> Here we are facing a issue with a backdoor that use https to send
> information
> from machines to the internnet (Turkey and Denmark- 78.189.194.126,
> 93.160.202.224 ). The issue is that we have clean this machines with all
> antivirus we know, but machines keep sending https traffic and we do not
> know
> how to get with the applicantion (backdoor) that sending information our
> information to Turkey and Denmark. These machines are already isolated.
>
> Do you know a windows tool so that I can get : which application is
using a
> specific destination protocol ?. I mean, WinMail.exe send to the
internet
> pop3
> and smtp, now I need to know which application is sending https traffic
to
> Internet from these machines,
>
> Thanks a lot,
>
> Warm regards
>
>
-- George Greaves Network Engineer george_at_ciscodesign.org AIM:ggtop3 Blogs and organic groups at http://www.ccie.netReceived on Mon Apr 26 2010 - 19:51:17 ART
This archive was generated by hypermail 2.2.0 : Sat May 01 2010 - 09:49:57 ART