Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Interesting scan

  1. #1

    Interesting scan

    Loving popup adds as much as I do, and the relentless SPAM that fills my mailbox, for kicks I decided to run a quick nmap on one of the worst offenders.

    I thought surely there box would be completely locked solid.

    I was surprised when virtually every port on the machine was open.

    The list of open ports is way too long to post, but I thought a few of these were interesting.

    The last one on the list was of particular interest

    nmap -v -sS <ip address> (witholding IP address here) produced:

    27665/tcp open Trinoo_Master
    31337/tcp open Elite
    32771/tcp open sometimes-rpc5
    32772/tcp open sometimes-rpc7
    32773/tcp open sometimes-rpc9
    32774/tcp open sometimes-rpc11
    54320/tcp open bo2k

    So I'm bored and I figure what the heck -

    ssh -1 <ip address> gives me:

    root@ipaddress's password:

    So two things occur to me:

    1. This is a WELL set up honeypot, and what I am seeing is simply an illusion to the real server - OR

    2. They have one of the most open boxes I have ever seen, and they could care less about security.

    With spammers, etc. is this a normal occurence? (ports open all over) - or was this particular site just an oddity?

    Those of you who have done more adventuring than I have - what are your opinions?

    - Aftiel

  2. #2
    A script kiddie perhaps? Those would be the types too stupid to defend their own boxes, I'd figure...

  3. #3
    Senior Member
    Join Date
    May 2003
    Posts
    407
    it's possible that what the IP you scanned could lead to a zombie box that spammers/popuppers hacked...in most cases, i'd say alert them, but if it is a spammer, they deserve whatever they get...


    slick
    \"Look, Doc, I spent last Tuesday watching fibers on my carpet. And the whole time I was watching my carpet, I was worrying that I, I might vomit. And the whole time, I was thinking, \"I\'m a grown man. I should know what goes on my head.\" And the more I thought about it... the more I realized that I should just blow my brains out and end it all. But then I thought, well, if I thought more about blowing my brains out... I start worrying about what that was going to do to my goddamn carpet. Okay, so, ah-he, that was a GOOD day, Doc. And, and I just want you to give me some pills and let me get on with my life. \" -Roy Waller

  4. #4
    Excellent point - I will check a little further and see if that IP is actually owned by the spammers using it. If the IP belongs to a legit company I will let them know.

    - Aftiel

  5. #5
    Junior Member
    Join Date
    Feb 2004
    Posts
    12
    more than likely is is a cable modem box that is being used to kick out spam
    i doubt the user knows or cares
    i see it alot they usually dont even care untill their computer doesnt work
    good luck getting answers
    jeremy

  6. #6
    Just checked - the IP belongs to an outift called "wholesaleinternet" - how nice ;P

    Looks like a SPAM outift to me - so they can deal with their own security issues on that box.

    Interestingly enough, there is a normal looking contact e-mail listed.

    What makes me want to FORWARD all the SPAM I receive to that address?

    - Aftiel

  7. #7
    Thanks Jeremy - my question was one of pure curiousity. It appears that the address I scanned IS a single node, and it also appears the same company owns their name servers also (they could be leased through an outside provider though. )

    I just thought it was interesting that address was so wide open. I always figured that spammers would have things locked down figuring all the folks they piss off would be after their computers.

    - Aftiel

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    http://www.wholesaleinternet.com/

    It is a hosting service. Probably doesn't care about spammers...

    They offer a whole range of services that anyone would want... but spammers would love...

    line Control Panel (DirecAdmin on dedicated servers.
    •Unlimited POP3 Email Accounts
    • IMAP 4 Mail Server
    • Web Mail Access
    • Unlimited Email Forwarding
    • Unlimited Email Autoresponders
    •Unlimited FTP Accounts
    • Unlimited FTP Access
    • Unlimited Domain Parking
    • Sub Domain Support
    • Webalizer Traffic Stats
    • Raw Access Logs
    • Spam Filters
    • Majordomo Mailing List Software

    http://www.greatcircle.com/majordomo...-faq.html#what

    Those are just a couple that i'd suspect could be abused by spammers.

    I've never really looked into what and how spammers get out all their mail.

    I wouldn't be surprised if it was a honeypot/net.

    I know someone who runs a small hosting company and he has a whole setup of honeynets... draws the attackers attention away from his real services. Well.. the kiddies at least.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    Nice info Phish -- thank you. It is hard for me to imagine that spammers that hijack your home page, popup adds and flood your mailbox manage to actually sell anything that way. But they must - there are certainly plenty of them out there.

    Would be fun if the Government issued a 30-day "free-for-all" and made it legal to hack, or otherwise shutdown all known spammers.

    Unfortunately, on day 31 they would be right back in business.

    - Aftiel

  10. #10
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Hmm maybe this is a bit offtopic but here goes. Over the past 4 weeks, my firewall logs have been increasing way above normal load. I have a dynamic ip (dialup), but there is normally a steady amount of average hits. My normal hits are targeted at ports 139, 135, 445, etc... (the common stuff). Now then, for the past 3 - 4 weeks, ive been getting hit alot on other ports, like 2745, 2755, 2760, 9898, 9449, 5554. Nothing wrong or weird by getting connection attempts. Just, every time though i connected, one day i would get hit by one IP on the mentioned ports, for like 5 hours, about 20 hits per minute (in addition to the normal daily traffic), then the next day (new dynamic ip) i would get hit on the same ports all day long from another source IP. Everytime i run a 'nslookup' or 'whois', i would get sources from Asia, like alot came from china, korea, thailand, and once even japan. After 3 weeks, and being pissed of at the floods in my firewall logs, i started portscanning the sources. Now then, every source i scanned, had like 300 open ports. From the better known ones like ftp, telnet, mail, web, SSL, proxy (8080 & 3128) upto a few hundred other high ports. The fingerprinting resulted mostly in some sory of router, from zyxel to cisco brands (depending on which source ip i scanned). At first i too thought that it was some miserable configured network, but then i started thinking about honeynets/pots.

    During the same period of time, a friend on his forums had the same traffic from asia every day for about 3 - 4 weeks. (my network and his have nothing in common BTW). Now, since about 10 days all traffic has stopped from Asian sources, same for my friends network. Has anyone else been getting higher traffic from there during the last 1 - 1 1/2 months? If so, has anyone looked up the sources, and maybe run some tests from there? I was very surprised at the amount of open ports i found when i scanned them, but being scared it might be some sort of honey pot, i didnt do any further digging.

    Guess im just not used to scanning and finding a box with so many open ports. Looks fishy to me

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •