Security Incidents mailing list archives
Probes from Microsoft
From: "Ryan W. Maple" <ryan () GUARDIANDIGITAL COM>
Date: Fri, 23 Feb 2001 19:53:53 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For the last day or so, we have been getting probes such as this ... Feb 23 19:39:17 ns named[8363]: denied query from [207.68.131.17].7018 for "." Feb 23 19:40:16 ns last message repeated 2 times Feb 23 19:40:16 ns named[8363]: denied query from [207.68.131.17].9210 for "." ... which resolves to a block owned by MSN ... Name: dcwu3dns1.windowsupdate.com Address: 207.68.131.17 MSN (NETBLK-MSN-BLK) One Microsoft Way Redmond, WA 98052 US Netname: MSN-BLK Netblock: 207.68.128.0 - 207.68.207.255 Maintainer: MSN -- Traceroute is going through Microsoft gateway (above-gw1.microsoft.com). ... so today I decided to nmap them to see if this was some kind of joke ... Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ ) Interesting ports on dcwu3dns1.windowsupdate.com (207.68.131.17): (The 1531 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 53/tcp open domain 443/tcp open https TCP Sequence Prediction: Class=random positive increments Difficulty=46338 (Worthy challenge) Remote operating system guess: F5labs Big/IP HA TCP/IP Load Balancer (BSDI kernel/x86) ... so I probe the ports ... SSH: SSH-1.5-1.3.7 F-SECURE SSH DNS: VERSION.BIND text = "8.2.2-P5" HTTPS: "Enter username for 3-DNS at 207.68.131.17" Now I'm not going to call up Microsoft and say "I think you are hacked" because I don't really feel like going through all the work to find out who to contact, and all that. I have cc:'d secure () microsoft com on this message so hopefully somebody there will investigate. Has anybody else been seeing this? I have to admit that I find this kind of funny if this is in fact Microsoft (which all signs point to). Cheers, Ryan +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+ Ryan W. Maple "I dunno, I dream in Perl sometimes..." -LW Guardian Digital, Inc. ryan () guardiandigital com +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6lwYkIwAIA9MpKWcRAoO5AJ4xfyuxR0nmaen6EXOLM4CNNnMTcACfUNLN 6NhF+Rg/DrEUqXTbRyXvmoY= =Ms0r -----END PGP SIGNATURE-----
Current thread:
- Probes from Microsoft Ryan W. Maple (Feb 24)
- Re: Probes from Microsoft Ryan Russell (Feb 24)
- Re: Probes from Microsoft kawaii (Feb 24)
- Re: Probes from Microsoft Tim Yocum (Feb 24)
- Re: Probes from Microsoft Jose Nazario (Feb 24)
- Re: Probes from Microsoft Ryan Russell (Feb 24)