Strange response when telneting to port 443

Forum Moderators: phranque

Message Too Old, No Replies

Strange response when telneting to port 443

SSL problem

sablednah

2:28 pm on Sep 2, 2004 (gmt 0)

Been trying to setup ssl on our server, all seams setup correctly (no hostname/dedicated ip - port 443 open, certificate installed and selected).

However browsing to the page gives a 'Server not Found or DNS error'. All works fine when using http://

Whilst running various tests i decided on a whim to try telnetting to the ip address and port 443. I was intending to test coectivity to see if a route could be found to that port on our server.

I was most interested to find this reply...


220 unglSubig? ;)

Typing any text results in this mesage


530 Not logged in.

Anyone seen anything like this before? It looks like something is setup on the server and using the ssl port, thereby preventing ssl from working correctly...

Any clues?

Receptional Andy

2:31 pm on Sep 2, 2004 (gmt 0)

It's a bit of a wild guess, but those response codes might be from an SMTP server.

MattyMoose

4:20 pm on Sep 2, 2004 (gmt 0)

That's right, they are SMTP response codes. 220 is the greeting message, supposed to say something like "220 smtp.example.com ESMTP server ready".

sablednah, is this your own server that it's running on? If it's a *NIX server, you can see what processes has port 443 open.
On *BSD's:

sockstat Śgrep 443

Linux:

lsof Śgrep 443

There is a way to do it in windows, but I believe you need a separate app to do this.

In the meantime, though, it looks pretty weird that an SMTP server is listening on 443.

Lord Majestic

4:25 pm on Sep 2, 2004 (gmt 0)

In the meantime, though, it looks pretty weird that an SMTP server is listening on 443.

Its SMTP/POP3 over SSL - some people like running their mail in a secure fashion! ... well at least getting it because original mail is likely to have been sent in plain text over unsecured lines.

sablednah

8:24 pm on Sep 2, 2004 (gmt 0)

Thanks for your help, it apears that it is an ftp server. Someone apears to have hacked our ftp server (Serve-U) and setup an new domain linked to port 443...
Guess I'm spending the rest of the evening cleaning up the damage and finding how they did it, to prevent it happening again.

MattyMoose

9:25 pm on Sep 2, 2004 (gmt 0)

POP/S is typically on port 995 and IMAP/S on port 993. Nothing to stop you changing that to 443, of course. :)

Damn, that sucks. Post back, let us know how they did it, it may help someone else in the future that has a similar setup!

Also, I bet dollars to doughnuts they're probably German... A quick google for that 220 message only resulted in some German news posts.

-MM

sablednah

2:13 pm on Sep 13, 2004 (gmt 0)

It looks like someone managed to sneek a trojan past our aging anti-virus software, hence my recent post about suitable replacements.

Troj/Servu-AG was the culprit, and it was almost certainly from a german source, they where using a hidden folder to store a german porn film!

Thanks for the help, and hope no-one else does need this info ;o)