Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Weird DNS scans
From: Seth Milder <mrseth () physics gmu edu>
Date: Fri, 05 Oct 2001 02:59:26 -0400
I am getting a ton of DNS scans from what seem to be all BSDI machines and all from China (so far). They are also *all* running 

 SSH-1.99-2.0.12 F-SECURE SSH
and all have at least irc and https open as well. Anyone else seeing this? Here are a few of my nmap results.
Starting nmap V. 2.30BETA20 by fyodor () insecure org ( www.insecure.org/nmap/ ) 
Host  (202.96.96.3) appears to be up ... good.
Initiating SYN half-open stealth scan against  (202.96.96.3)
Adding TCP port 22 (state open).
Adding TCP port 443 (state open).
The SYN scan took 416 seconds to scan 1518 ports.
For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled 
Interesting ports on  (202.96.96.3):
(The 1512 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
182/tcp    filtered    audit
443/tcp    open        https
1387/tcp   filtered    cadsi-lm
2500/tcp   filtered    rtsserv
6667/tcp   filtered    irc

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=155830 (Good luck!)

Sequence numbers: ACF89303 ACFAE081 ACF89303 ACFAE081 AD0343B4 AD064C1B
Remote operating system guess: F5labs Big/IP HA TCP/IP Load Balancer (BSDI kernel/x86) 
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=260B6)
T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=402E%ACK=O%Flags=A%Ops=NNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=N)


Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
Host  (61.138.141.3) appears to be up ... good.
Initiating SYN Stealth Scan against  (61.138.141.3)
Adding TCP port 22 (state open).
Adding TCP port 443 (state open).
The SYN Stealth Scan took 480 seconds to scan 1534 ports.
For OSScan assuming that port 22 is open and port 1 is closed and neither are firewalled Insufficient responses for TCP sequencing (3), OS detection may be less accurate 
Interesting ports on  (61.138.141.3):
(The 1531 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
443/tcp    open        https
6667/tcp   filtered    irc
Remote operating system guess: F5labs Big/IP HA TCP/IP Load Balancer (BSDI kernel/x86) 
OS Fingerprint:
T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=402E%ACK=O%Flags=A%Ops=NNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=N)
Starting nmap V. 2.30BETA20 by fyodor () insecure org ( www.insecure.org/nmap/ ) 
Host  (61.139.76.157) appears to be up ... good.
Initiating SYN half-open stealth scan against  (61.139.76.157)
Adding TCP port 21 (state open).
Adding TCP port 22 (state open).
Adding TCP port 443 (state open).
The SYN scan took 457 seconds to scan 1518 ports.
For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled 
Interesting ports on  (61.139.76.157):
(The 1514 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
22/tcp     open        ssh
443/tcp    open        https
6667/tcp   filtered    irc

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=80721 (Worthy challenge)

Sequence numbers: 4E09FF48 4E0F551E 4E09FF48 4E13BF92 4E0F551E 4E1994C8
Remote operating system guess: F5labs Big/IP HA TCP/IP Load Balancer (BSDI kernel/x86) 
OS Fingerprint:
TSeq(Class=RI%gcd=2%SI=13B51)
T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=402E%ACK=O%Flags=A%Ops=NNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=N)



--
Seth Milder
Deptartment of Physics and Astronomy
MS 3f3
George Mason University
Fairfax, VA
--
Say no, then negotiate. -- Helga


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]