July 21st, 2004, 06:09 PM
Loving popup adds as much as I do, and the relentless SPAM that fills my mailbox, for kicks I decided to run a quick nmap on one of the worst offenders.
I thought surely there box would be completely locked solid.
I was surprised when virtually every port on the machine was open.
The list of open ports is way too long to post, but I thought a few of these were interesting.
The last one on the list was of particular interest
nmap -v -sS <ip address> (witholding IP address here) produced:
27665/tcp open Trinoo_Master
31337/tcp open Elite
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
54320/tcp open bo2k
So I'm bored and I figure what the heck -
ssh -1 <ip address> gives me:
So two things occur to me:
1. This is a WELL set up honeypot, and what I am seeing is simply an illusion to the real server - OR
2. They have one of the most open boxes I have ever seen, and they could care less about security.
With spammers, etc. is this a normal occurence? (ports open all over) - or was this particular site just an oddity?
Those of you who have done more adventuring than I have - what are your opinions?
July 21st, 2004, 06:17 PM
A script kiddie perhaps? Those would be the types too stupid to defend their own boxes, I'd figure...
July 21st, 2004, 06:50 PM
it's possible that what the IP you scanned could lead to a zombie box that spammers/popuppers hacked...in most cases, i'd say alert them, but if it is a spammer, they deserve whatever they get...
\"Look, Doc, I spent last Tuesday watching fibers on my carpet. And the whole time I was watching my carpet, I was worrying that I, I might vomit. And the whole time, I was thinking, \"I\'m a grown man. I should know what goes on my head.\" And the more I thought about it... the more I realized that I should just blow my brains out and end it all. But then I thought, well, if I thought more about blowing my brains out... I start worrying about what that was going to do to my goddamn carpet. Okay, so, ah-he, that was a GOOD day, Doc. And, and I just want you to give me some pills and let me get on with my life. \" -Roy Waller
July 21st, 2004, 06:57 PM
Excellent point - I will check a little further and see if that IP is actually owned by the spammers using it. If the IP belongs to a legit company I will let them know.
July 21st, 2004, 07:03 PM
more than likely is is a cable modem box that is being used to kick out spam
i doubt the user knows or cares
i see it alot they usually dont even care untill their computer doesnt work
good luck getting answers
July 21st, 2004, 07:04 PM
Just checked - the IP belongs to an outift called "wholesaleinternet" - how nice ;P
Looks like a SPAM outift to me - so they can deal with their own security issues on that box.
Interestingly enough, there is a normal looking contact e-mail listed.
What makes me want to FORWARD all the SPAM I receive to that address?
July 21st, 2004, 07:10 PM
Thanks Jeremy - my question was one of pure curiousity. It appears that the address I scanned IS a single node, and it also appears the same company owns their name servers also (they could be leased through an outside provider though. )
I just thought it was interesting that address was so wide open. I always figured that spammers would have things locked down figuring all the folks they piss off would be after their computers.
July 21st, 2004, 07:45 PM
It is a hosting service. Probably doesn't care about spammers...
They offer a whole range of services that anyone would want... but spammers would love...
line Control Panel (DirecAdmin on dedicated servers.
•Unlimited POP3 Email Accounts
• IMAP 4 Mail Server
• Web Mail Access
• Unlimited Email Forwarding
• Unlimited Email Autoresponders
•Unlimited FTP Accounts
• Unlimited FTP Access
• Unlimited Domain Parking
• Sub Domain Support
• Webalizer Traffic Stats
• Raw Access Logs
• Spam Filters
• Majordomo Mailing List Software
Those are just a couple that i'd suspect could be abused by spammers.
I've never really looked into what and how spammers get out all their mail.
I wouldn't be surprised if it was a honeypot/net.
I know someone who runs a small hosting company and he has a whole setup of honeynets... draws the attackers attention away from his real services. Well.. the kiddies at least.
is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
July 21st, 2004, 08:02 PM
Nice info Phish -- thank you. It is hard for me to imagine that spammers that hijack your home page, popup adds and flood your mailbox manage to actually sell anything that way. But they must - there are certainly plenty of them out there.
Would be fun if the Government issued a 30-day "free-for-all" and made it legal to hack, or otherwise shutdown all known spammers.
Unfortunately, on day 31 they would be right back in business.
July 21st, 2004, 08:12 PM
Hmm maybe this is a bit offtopic but here goes. Over the past 4 weeks, my firewall logs have been increasing way above normal load. I have a dynamic ip (dialup), but there is normally a steady amount of average hits. My normal hits are targeted at ports 139, 135, 445, etc... (the common stuff). Now then, for the past 3 - 4 weeks, ive been getting hit alot on other ports, like 2745, 2755, 2760, 9898, 9449, 5554. Nothing wrong or weird by getting connection attempts. Just, every time though i connected, one day i would get hit by one IP on the mentioned ports, for like 5 hours, about 20 hits per minute (in addition to the normal daily traffic), then the next day (new dynamic ip) i would get hit on the same ports all day long from another source IP. Everytime i run a 'nslookup' or 'whois', i would get sources from Asia, like alot came from china, korea, thailand, and once even japan. After 3 weeks, and being pissed of at the floods in my firewall logs, i started portscanning the sources. Now then, every source i scanned, had like 300 open ports. From the better known ones like ftp, telnet, mail, web, SSL, proxy (8080 & 3128) upto a few hundred other high ports. The fingerprinting resulted mostly in some sory of router, from zyxel to cisco brands (depending on which source ip i scanned). At first i too thought that it was some miserable configured network, but then i started thinking about honeynets/pots.
During the same period of time, a friend on his forums had the same traffic from asia every day for about 3 - 4 weeks. (my network and his have nothing in common BTW). Now, since about 10 days all traffic has stopped from Asian sources, same for my friends network. Has anyone else been getting higher traffic from there during the last 1 - 1 1/2 months? If so, has anyone looked up the sources, and maybe run some tests from there? I was very surprised at the amount of open ports i found when i scanned them, but being scared it might be some sort of honey pot, i didnt do any further digging.
Guess im just not used to scanning and finding a box with so many open ports. Looks fishy to me
Ubuntu-: Means in African : "Im too dumb to use Slackware"