Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Scanners using netcraft?

Re: Scanners using netcraft?

From: Al Huger - Mail Account <ah1_at_SECURITYFOCUS.COM>
Date: Wed, 5 Jan 2000 10:44:22 -0800

On Wed, 5 Jan 2000, Michael Damm wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
>
> Hello.
>
> I helped a good friend do some basic security on this small business
> webserver a while back.
> Tonight I received a message from him stating that it something was
> up and he didn't quite understand it.
>
> His eth0 device was put into promisc, as I told him, an obvious sign
> the box was owned somehow.
>
> The only things I was able to dig out of the logs was:
> httpd log:
> 195.188.192.12 - - [03/Jan/2000:00:05:46 -0800] "HEAD / HTTP/1.1" 200
> 0
> (resolves to zanussi.netcraft.com)

Netcraft routinely scans hosts for their OS, It does this by checking the
Webserver. Whisker, rfp's CGI scanner allows it's users to use Netcraft
for OS identifaction and for bouncing scans through it to target hosts.
>Fromthe documentation:

-N query Netcraft for server OS guess
-B 1 bounce off of altavista.com (and netcraft.com)

The netcraft poke might have been the precursor to a CGI scan from
Whisker or simply the intruder scoping your OS version via Netcraft.

>From the Netcraft page:

"Netcraft determines the operating system of the queried host by looking
in detail at the network characteristics of the HTTP reply received from
the web site."

> Jan 4 15:58:55 [boxname] kernel: eth0: Setting promiscuous mode.
> Jan 4 15:58:55 [boxname] kernel: device eth0 left promiscuous mode
> (All clock times approx. 20 min off from Pacific time)

Up goes the sniffer. Down goes the sniffer. Odd.

>
> A quick run over to my favorite 0day site gave me only a local
> exploit for his OS (Mandrake 6)
>
> All daemons that were running were the latest version, and those were
> minimal, taking my security advice. I cant get an exact list or any
> further data right now, it appears he 'eth0 down'ed the box.
>

Chances are if the intruder was poking remotely via Netcraft they did not
already have a sniffed login so there is a good chance *something* is
vulnerable. If you post an inventory of the remote services we can run it
through the database here and see if anything pops up.

> My questions for the list:
> 1. is netcraft.com being used it some mass scan for a httpd related
> or other remote overflow?

http://www.wiretrip.net/rfp/bins/whisker/

> 2. Is Mandrake 6 obviously vulnerable to something I'm not aware of?
>
Received on Jan 05 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos