Security Basics mailing list archives
Re: Wierd non-http port 80 daemon?
From: Francisco Andrades <fandrades () nextj com>
Date: Fri, 09 Jan 2004 17:58:29 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Try using nmap with the newly added -A switch. If you use nmap -A -O ip-address It will show you the OS version and will use the fingerprint to tell you what service (and version sometimes) is running on each port. Dani Wuck wrote: | G'day. My first post here, and I truly hope I've come to the right place. | | I've been scanning a box, and it's - lightly taken - set up very | insecure. Many open ports, etc. One thing I find strange is the | following: The box is open on port 80. But if you telnet into it, it | doesn't act anything like a HTTP daemon. | | #1. If you connect to it, it waits for remote input. | #2. It accepts a certain number of chars before it closes the connection. | #3. If you immediately send the max. number of chars, (or more) the | connection is closed at once. | #4. You can send five times an 'a', and then get disconnected. | #5. If you'd send 'abc', you'll get disconnected after < 5 times | (usually 3 or 2) | #6. Every time you send something, (except doing #3) it returns some | ASCII that seems to be different everytime. (even if you keep sending | the same) | | So .. what do you think I'm looking at? A trojan or something? | Guessing on its open ports I believe it's a WinME OEM, Win2000 or | (probably) WinXP box. (UPNP enabled) | | I'm eager to notify its user, but I first really want to know what that | port 80 deamon is :) | | - wuck | |- ---------------------------------------------------------------------------
| Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off | any course! All of our class sizes are guaranteed to be 10 students or | less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion | Prevention, and many other technical hands on courses. Visit us at | http://www.infosecinstitute.com/securityfocus to get $720 off any | course! |- ----------------------------------------------------------------------------
| - -- Francisco Andrades Grassi www.nextj.com Tlf: +58-414-125-7415 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQE//uvFGQPFH+shC0oRAhf6AKCr+lAM1TJA1nXnZG7JOcRXynLp0gCgq7+M rKcd0mGUFvrnD5sy+45a1qg= =p8vA -----END PGP SIGNATURE----- ---------------------------------------------------------------------------Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Wierd non-http port 80 daemon? Dani Wuck (Jan 07)
- Re: Wierd non-http port 80 daemon? Greg Tracy (Jan 07)
- Re: Wierd non-http port 80 daemon? Austin Godber (Jan 08)
- Re: Wierd non-http port 80 daemon? Brien Dieterle (Jan 09)
- Re: Wierd non-http port 80 daemon? Dani Wuck (Jan 09)
- Re: Wierd non-http port 80 daemon? Brien Dieterle (Jan 09)
- Re: Wierd non-http port 80 daemon? Kelly John Rose (Jan 08)
- Re: Wierd non-http port 80 daemon? Thomas Kerbl (Jan 08)
- Re: Wierd non-http port 80 daemon? Francisco Andrades (Jan 09)