Home page logo
/

basics logo Security Basics mailing list archives

Re: is this real?
From: Eric Brown <ericbrow () ziplip com>
Date: Tue, 16 Mar 2004 09:42:12 -0800 (PST)

Michael,
I've seen this sort of openness with unpatched Cobalt servers from Sun.  They're nice in that they allow someone with 
limited knowledge and expirence set up their own web and mail server, but they're about as secure as swiss cheese.  The 
first server I ran in production was a Cobalt Raq4.  Then I started learning about network security (thanks in large 
part to this list).  Now we've switched to a much more secure setup.

Or it could be a honeypot.  It does look suspiciously open, I'll agree with you on that.

Eric


-----Original Message-----
From: Michael Weber [mailto:mweber () hitwin com]
Sent: Tuesday, March 16, 2004, 9:19 AM
To: security-basics () securityfocus com
Subject: is this real?

Hi,

after the weekend i spend a few hours for a journey trough my logfiles 
from the weekend. So i detect one IP which scan us very often and try to 
connect to ssh. Not unusual so far... normally i do an nmap run, look on 
the machine and forget it.

But This:

Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-03-15 18:30 CET
Interesting ports on xxx.xxx.xxx.xxx:
(The 1007 ports scanned but not shown below are in state: closed)
PORT    STATE    SERVICE      VERSION
21/tcp  open     ftp?
22/tcp  open     ssh          SSH 1.2.33 (protocol 1.5)
23/tcp  open     telnet       Linux telnetd
25/tcp  open     smtp         Sendmail smtpd 8.11.6/8.11.0
53/tcp  open     domain       ISC Bind 8.2.2-P5
79/tcp  open     finger       Linux fingerd
80/tcp  open     http         Apache httpd 1.3.23 ((Unix) PHP/4.1.2)
109/tcp open     pop-2?
110/tcp open     pop3
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
143/tcp open     imap?
445/tcp filtered microsoft-ds
513/tcp open     login?
514/tcp open     shell?
587/tcp open     smtp         Sendmail 8.11.6/8.11.0
707/tcp filtered unknown

Could THIS be real??? Or is it a honeypot? SSH in a version older than 
me, telnet online, finger talks to the whole world and so on.... just a 
question because i have never seen somewhat... open... in the wild 
before. Somewhere in Korea...

regards,
Michael



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------



To do is to be.  -Socrates
To be is to do.  -Satre
Do be do be do.  -Sinatra

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]