Monday, January 09, 2012

McAfee Relay Server 5.2.3 (Port 6515)

Earlier today I noticed I was getting a lot of TCP port 6515 proxies on The List.

Curious, I checked one and it gave me a VIA header of

1.1 Fran-PC (McAfee Relay Server 5.2.3)


Then I took a peek at the database.  Nearly 1900 of these things since December 1st, 2011.  Although the name of the PC above is a dead giveaway that this is some sort of consumer product ("[name-of-owner]-PC" is the default Windows machine name created during setup), a quick check of the DNS names of these boxes confirms they are all on residential IP addresses.

So what is "McAfee Relay Server"?  I'm guessing it's one of those snarky products they stick you with whenever you buy a new PC.  This makes sense, since December is a big month for new PCs.

But why install it as an open proxy?  

If it's a "security product" I hope it's a honeypot.

UPDATE: BIG LIST OF MCAFEE VIA HEADERS


This is what I have been able to salvage from the proxy run logs that I still have.  All of December is basically lost, unfortunately.

1.1 62G3CP1 (McAfee Relay Server 5.2.1)
1.1 acer-86e9bf2e61 (McAfee Relay Server 5.2.3)
1.1 Alan (McAfee Relay Server 5.2.3)
1.1 BERCOBACKUP (McAfee Relay Server 5.2.1)
1.1 bill-2eb924946b (McAfee Relay Server 5.2.3)
1.1 billkayredsa-PC (McAfee Relay Server 5.2.3)
1.1 blackkbarbie-PC (McAfee Relay Server 5.2.1)
1.1 bobot (McAfee Relay Server 5.2.3)
1.1 Breaker (McAfee Relay Server 5.2.3)
1.1 Brian-PC (McAfee Relay Server 5.2.0)
1.1 Buzz-PC (McAfee Relay Server 5.2.3)
1.1 CJ-PC (McAfee Relay Server 5.2.3)
1.1 ConwayVault (McAfee Relay Server 5.2.0)
1.1 Custom-PC (McAfee Relay Server 5.2.3)
1.1 D3Y34L91 (McAfee Relay Server 5.2.3)
1.1 D3ZQQW81 (McAfee Relay Server 5.2.3)
1.1 Daddy-PC (McAfee Relay Server 5.2.3)
1.1 Dan-PC (McAfee Relay Server 5.2.3)
1.1 Darla-PC (McAfee Relay Server 5.2.3)
1.1 david-PC (McAfee Relay Server 5.2.0)
1.1 DDS7CS81 (McAfee Relay Server 5.2.3)
1.1 Debby-PC (McAfee Relay Server 5.2.3)
1.1 dell (McAfee Relay Server 5.2.3)
1.1 denise-4f98da88 (McAfee Relay Server 5.2.3)
1.1 DG690771 (McAfee Relay Server 5.2.3)
1.1 DHWATSON (McAfee Relay Server 5.2.3)
1.1 dianadozard-PC (McAfee Relay Server 5.2.1)
1.1 DillonComput-PC (McAfee Relay Server 5.2.3)
1.1 donald-gpmxmpyb (McAfee Relay Server 5.2.3)
1.1 DSVR002557 (McAfee Relay Server 5.2.1)
1.1 DSVR006181 (McAfee Relay Server 5.2.3)
1.1 DSVR008084 (McAfee Relay Server 5.2.3)
1.1 eisberg (McAfee Relay Server 5.2.3)
1.1 eleni-PC (McAfee Relay Server 5.2.3)
1.1 emachine-98e05c (McAfee Relay Server 5.2.3)
1.1 Emachine (McAfee Relay Server 5.2.3)
1.1 FINISHIN-P6868U (McAfee Relay Server 5.2.3)
1.1 Fran-PC (McAfee Relay Server 5.2.3)
1.1 FTP-Server (McAfee Relay Server 5.2.3)
1.1 funk-sbs-2003 (McAfee Relay Server 5.2.3)
1.1 gary-393c91b143 (McAfee Relay Server 5.2.3)
1.1 general (McAfee Relay Server 5.2.3)
1.1 h1951093 (McAfee Relay Server 5.2.3)
1.1 hill-PC (McAfee Relay Server 5.2.3)
1.1 home (McAfee Relay Server 5.2.3)
1.1 Home-PC (McAfee Relay Server 5.2.3)
1.1 ILEXSA001 (McAfee Relay Server 5.2.3)
1.1 IQ-K12-Desktop (McAfee Relay Server 5.2.2)
1.1 IQ-K12-Desktop (McAfee Relay Server 5.2.3)
1.1 IQ-K12-Laptop (McAfee Relay Server 5.2.3)
1.1 Irvines-PC (McAfee Relay Server 5.2.3)
1.1 JackRogers-PC (McAfee Relay Server 5.2.3)
1.1 Jennifer-PC (McAfee Relay Server 5.2.3)
1.1 jennings-PC (McAfee Relay Server 5.2.3)
1.1 JERRY-PC (McAfee Relay Server 5.2.3)
1.1 Joanne (McAfee Relay Server 5.2.3)
1.1 Jody-PC (McAfee Relay Server 5.2.3)
1.1 JohnandCathy-PC (McAfee Relay Server 5.2.1)
1.1 john-HP (McAfee Relay Server 5.2.3)
1.1 JR-PC (McAfee Relay Server 5.2.3)
1.1 JTSICOE (McAfee Relay Server 5.2.3)
1.1 jupiter (McAfee Relay Server 5.2.3)
1.1 Kaminski-PC (McAfee Relay Server 5.2.1)
1.1 kedwards-PC (McAfee Relay Server 5.2.3)
1.1 keebaby5-PC (McAfee Relay Server 5.2.3)
1.1 Kit-PC (McAfee Relay Server 5.2.3)
1.1 LANG (McAfee Relay Server 5.2.3)
1.1 LarCar1969-PC (McAfee Relay Server 5.2.3)
1.1 manuel (McAfee Relay Server 5.2.3)
1.1 Mary-PC (McAfee Relay Server 5.2.3)
1.1 mdshor-PC (McAfee Relay Server 5.2.1)
1.1 millers-PC (McAfee Relay Server 5.2.1)
1.1 nanakatewest-PC (McAfee Relay Server 5.2.3)
1.1 nault-pc (McAfee Relay Server 5.2.3)
1.1 nichowa1-PC (McAfee Relay Server 5.2.3)
1.1 office (McAfee Relay Server 5.2.3)
1.1 owner-8477f6334 (McAfee Relay Server 5.2.3)
1.1 owner (McAfee Relay Server 5.2.3)
1.1 owner-PC (McAfee Relay Server 5.2.3)
1.1 Owner-PC (McAfee Relay Server 5.2.3)
1.1 pathenri-PC (McAfee Relay Server 5.2.3)
1.1 PCGARANT04 (McAfee Relay Server 5.2.2)
1.1 PRINCIPAL (McAfee Relay Server 5.2.3)
1.1 PServer (McAfee Relay Server 5.2.3)
1.1 PTBrunnock-PC (McAfee Relay Server 5.2.3)
1.1 Ratuld (McAfee Relay Server 5.2.3)
1.1 ricky-PC (McAfee Relay Server 5.2.3)
1.1 sarahcasey- (McAfee Relay Server 5.2.3)
1.1 server01 (McAfee Relay Server 5.2.3)
1.1 server_02 (McAfee Relay Server 5.2.3)
1.1 server152 (McAfee Relay Server 5.2.3)
1.1 Sharon-PC (McAfee Relay Server 5.2.3)
1.1 Shop-HP (McAfee Relay Server 5.2.3)
1.1 shulapc (McAfee Relay Server 5.2.3)
1.1 snowwhimpy-PC (McAfee Relay Server 5.2.3)
1.1 SRV-CAPYLR (McAfee Relay Server 5.2.3)
1.1 stanknight2-PC (McAfee Relay Server 5.2.3)
1.1 Sue (McAfee Relay Server 5.2.3)
1.1 Terry-PC (McAfee Relay Server 5.2.3)
1.1 Tommy-PC (McAfee Relay Server 5.2.3)
1.1 UBSPAULISTANO (McAfee Relay Server 5.2.1)
1.1 u-Net-NAS1 (McAfee Relay Server 5.2.1)
1.1 user-9y1zyxu5xh (McAfee Relay Server 5.2.3)
1.1 user (McAfee Relay Server 5.2.3)
1.1 User-PC (McAfee Relay Server 5.2.3)
1.1 virtualserver (McAfee Relay Server 5.2.3)
1.1 your-4dacd0ea75 (McAfee Relay Server 5.2.1)

There are some obvious corporate type names, but the -PC names are definitely consumer grade.  Again, the majority of all IPs reverse map back to residential address ranges.


12 comments:

  1. Anonymous12:59 PM

    Have you tried google this issue? And what does a n-map scan, or a firewall status say on your ports? Can you find the exe/command that have something to do on port 6515?
    All the best

    ReplyDelete
  2. Scary - old vulnerability - but a reccurance could mean a lot of people are vulnerable -
    http://packetstormsecurity.org/files/24971/mcaffee.mycio.traversal.txt

    ReplyDelete
  3. Anon: When I Google "McAfee Relay Server 5.2.3" (with quotes) I get a few proxy sites, this blog, and the notice I sent to Full Disco.

    I don't scan any of these proxies, I pull the addresses and ports from public proxy lists. And I certainly don't "poke around" on other peoples PCs looking for executables.

    Rich: It's not old, it's "proven technology".

    ReplyDelete
  4. Anonymous5:12 AM

    We started a thread on technet as its affecting a lot of SBS 2003 / 2008 servers. Seems to be the myAgtSvc.exe, so just killed it for now. A number of service requests outstanding with McAfee.....

    ReplyDelete
  5. Thanks, Anon. Let me know what happens, if it doesn't conflict with your McAfee NDA.

    Unfortunately, I don't keep the VIA headers in my database, but I have all of them in my logs, so I'm looking at pulling those out.

    Right now, at 6:30AM EDT, I have a bunch of these port 6515 puppies on the front page of the proxy list, so they're still coming in.

    ReplyDelete
  6. Anonymous3:08 AM

    Four days since a complete reinstall of McAfee and exactly the same problem. Still no response from McAfee. Have checked over the system with Eset (and various others) and found nothing at all. How long until they accept a vulnerability...?

    ReplyDelete
  7. Anonymous4:21 AM

    2011-12 McAfee Via Headers:

    1.1 IQ-K12-Desktop (McAfee Relay Server 5.2.3) 1.1 wrccsrv3 (McAfee Relay Server 5.2.3) 1.1 pegasus-PC (McAfee Relay Server 5.2.3) 1.1 test (McAfee Relay Server 5.2.3) 1.1 your-4dacd0ea75 (McAfee Relay Server 5.2.3) 1.1 Owner-PC (McAfee Relay Server 5.2.3) 1.1 D5C3VW81 (McAfee Relay Server 5.2.3) 1.1 sunsetview2 (McAfee Relay Server 5.2.3) 1.1 WebTool (McAfee Relay Server 5.2.3) 1.1 lgfunmachine (McAfee Relay Server 5.2.3) 1.1 BN32JH1 (McAfee Relay Server 5.2.1) 1.1 Carl-PC (McAfee Relay Server 5.2.3) 1.1 Copper (McAfee Relay Server 5.2.3) 1.1 Redhead10 (McAfee Relay Server 5.2.3) 1.1 DEMO (McAfee Relay Server 5.2.3) 1.1 IQ-K12-Desktop (McAfee Relay Server 5.2.3) 1.1 C1247 (McAfee Relay Server 5.2.3) 1.1 Alice-PC (McAfee Relay Server 5.2.0) 1.1 HERRINWEB (McAfee Relay Server 5.2.3) 1.1 Bill-PC (McAfee Relay Server 5.2.3) 1.1 Evelyn-OfficePC (McAfee Relay Server 5.2.3) 1.1 DJHGRCB1 (McAfee Relay Server 5.2.3) 1.1 DGD2 (McAfee Relay Server 5.2.0) 1.1 Laptop (McAfee Relay Server 5.2.3) 1.1 admin-4640dd0e8 (McAfee Relay Server 5.2.3) 1.1 felicita-xj4lhs (McAfee Relay Server 5.2.3) 1.1 SVR2003-HE1 (McAfee Relay Server 5.2.3) 1.1 Daniel-PC (McAfee Relay Server 5.2.3) 1.1 TECH (McAfee Relay Server 5.2.3) 1.1 server01 (McAfee Relay Server 5.2.3) 1.1 r6 (McAfee Relay Server 5.2.3) 1.1 progress-serv2 (McAfee Relay Server 5.2.3) 1.1 Chopper (McAfee Relay Server 5.2.3) 1.1 IQ-K12-Desktop (McAfee Relay Server 5.2.3) 1.1 park_edmonds01 (McAfee Relay Server 5.2.3) 1.1 your-4dacd0ea75 (McAfee Relay Server 5.2.3) 1.1 Rosy (McAfee Relay Server 5.2.0) 1.1 Denise-PC (McAfee Relay Server 5.2.3) 1.1 Lisa-PC (McAfee Relay Server 5.2.1) 1.1 JimandMelody-PC (McAfee Relay Server 5.2.1) 1.1 SFPHost3 (McAfee Relay Server 5.2.3) 1.1 105-HPTS1 (McAfee Relay Server 5.2.3) 1.1 amy-PC (McAfee Relay Server 5.2.1) 1.1 Captain-America (McAfee Relay Server 5.2.3) 1.1 PTserver (McAfee Relay Server 5.2.0) 1.1 reeca83-PC (McAfee Relay Server 5.2.3) 1.1 webmaster (McAfee Relay Server 5.2.3) 1.1 pegasus-PC (McAfee Relay Server 5.2.3) 1.1 Server08 (McAfee Relay Server 5.2.3) 1.1 IQ-K12-Desktop (McAfee Relay Server 5.2.3) 1.1 HERRINWEB (McAfee Relay Server 5.2.3) 1.1 lowkeytattoo-PC (McAfee Relay Server 5.2.1) 1.1 vinmann326-PC (McAfee Relay Server 5.2.3) 1.1 rob-HP (McAfee Relay Server 5.2.3) 1.1 HERRINWEB (McAfee Relay Server 5.2.3) 1.1 56379100-TSRVR1 (McAfee Relay Server 5.2.3) 1.1 HomeComputer (McAfee Relay Server 5.2.3) 1.1 Tara-PC (McAfee Relay Server 5.2.1) 1.1 Tecal-I7 (McAfee Relay Server 5.2.3) 1.1 HERRINWEB (McAfee Relay Server 5.2.3) 1.1 Tecal-I7 (McAfee Relay Server 5.2.3) 1.1 User-PC (McAfee Relay Server 5.2.3) 1.1 K12-C8C4ACC5AED (McAfee Relay Server 5.2.3) 1.1 60-1554 (McAfee Relay Server 5.2.3) 1.1 galwaybay-PC (McAfee Relay Server 5.2.3) 1.1 49153900-TWS2 (McAfee Relay Server 5.2.3) 1.1 Patricia-PC (McAfee Relay Server 5.2.3) 1.1 Owner-PC (McAfee Relay Server 5.2.3) 1.1 Ed-PC (McAfee Relay Server 5.2.0) 1.1 SERVIDOR (McAfee Relay Server 5.2.3) 1.1 Bob (McAfee Relay Server 5.2.3) 1.1 Debby-PC (McAfee Relay Server 5.2.3) 1.1 DEVOTED1 (McAfee Relay Server 5.2.3) 1.1 zutz-PC (McAfee Relay Server 5.2.3) 1.1 FreddyG840-PC (McAfee Relay Server 5.2.3) 1.1 CJ-HP (McAfee Relay Server 5.2.3) 1.1 Flanagan-PC (McAfee Relay Server 5.2.3) 1.1 Nancy-PC (McAfee Relay Server 5.2.3) 1.1 Jerry-PC (McAfee Relay Server 5.2.3) 1.1 DorothyDonay-PC (McAfee Relay Server 5.2.3) 1.1 RWCJKEISER (McAfee Relay Server 5.2.3) 1.1 804746-7219-PC (McAfee Relay Server 5.2.3) 1.1 slimone1-PC (McAfee Relay Server 5.2.3) 1.1 JOHHNY-PC (McAfee Relay Server 5.2.3) 1.1 Office-PC (McAfee Relay Server 5.2.3) 1.1 Spaserver (McAfee Relay Server 5.2.3) 1.1 DarkKnight-PC (McAfee Relay Server 5.2.1) 1.1 billtrain-PC (McAfee Relay Server 5.2.3) 1.1 inok-PC (McAfee Relay Server 5.2.1) 1.1 FrancesEveDe-PC (McAfee Relay Server 5.2.3) 1.1 Hoffman-PC (McAfee Relay Server 5.2.3) 1.1 Cabin-Server (McAfee Relay Server 5.2.0) 1.1 Home1 (McAfee Relay Server 5.2.3) 1.1 IQ-K12-Desktop (McAfee Relay Server 5.2.3)

    4096 characters max, there was 20 more lines...

    ReplyDelete
  8. Anon #1, thanks for the update on McAfee. It's odd, I work with McAfee products every day and I have never heard of this thing.

    Anon#2, thanks for sharing the Via headers! I got a lot of those "IQ-K12-Desktop" machine names as well. I wonder what's going on there. Cloned deployments maybe?

    ReplyDelete
  9. McAfee have just indicated that their engineering team is now aware, and are preparing a patch for this issue.

    They have recommend in the meantime that the Rumor/McAfee Peer Distribution Service is disabled and external firewalls are updated to block incoming to port 6515.

    ReplyDelete
  10. Great news, Kaamar! Tell McAfee to make sure they spell my name right on their KnowledgeBase article!

    lulz

    ReplyDelete
  11. Anonymous9:51 AM

    Update:

    McAfee has developed a patch that will instruct rumor to not respond to most incoming requests on port 6515. The patch will be posted through updates over a week time. The updated version will show 5.2.3 patch 4 Please do revert back for additional information.

    ReplyDelete
  12. Informative. Thanks.

    ReplyDelete