Nmap Announce mailing list archives
Re: unauthorized scan from you
From: The Hermit Hacker <scrappy () hub org>
Date: Sat, 13 Feb 1999 18:45:27 -0400 (AST)
Hi Dave... Effective upon reading this email, I have shut down the probe until *I* can get further clarification on this as well. So far as *I* knew, there is no way that I, on this end, can force your ethernet ito promiscuous mode...it has to be done as root on the machine itself. I've CC'd this to the NMAP mailing list, hoping someone else can give a good explanation for this... ...if it is something that I've done, then the probe will be shutdown *permanently* effective now...I'm just confused as how it could be something I've done. The only ports I'm using to get the fingerprint are those that, as far as I'm aware, are totally public ports, and have reduced even that to what appears to be the absolute minimum in order to get a clean fingerprint. Could one of these ports, if probed, have caused this? sunrpc maybe? hub> more /usr/local/lib/nmap/nmap-services echo 7/tcp # echo 7/udp # discard 9/tcp # sink null discard 9/udp # sink null daytime 13/tcp # daytime 13/udp # ftp 21/tcp # File Transfer [Control] ftp 21/udp # File Transfer [Control] ssh 22/tcp # Secure Shell Login ssh 22/udp # Secure Shell Login telnet 23/tcp # telnet 23/udp # smtp 25/tcp # Simple Mail Transfer smtp 25/udp # Simple Mail Transfer finger 79/tcp # finger 79/udp # http 80/tcp # World Wide Web HTTP http 80/udp # World Wide Web HTTP pop-2 109/tcp # PostOffice V.2 pop-2 109/udp # PostOffice V.2 pop-3 110/tcp # PostOffice V.3 pop-3 110/udp # PostOffice V.3 sunrpc 111/tcp # portmapper, rpcbind sunrpc 111/udp # portmapper, rpcbind auth 113/tcp # ident, tap, Authentication Service auth 113/udp # ident, tap, Authentication Service nntp 119/tcp # Network News Transfer Protocol nntp 119/udp # Network News Transfer Protocol snmp 161/tcp # snmp 161/udp # Simple Net Mgmt Proto On Sat, 13 Feb 1999, Dave Matthews wrote:
Hi Marc, I'm a little relieved to hear this. But I'm still anxious about the fact that the log says, Feb 12 21:42:43 ascus kernel: eth0: Setting promiscuous mode. and indeed that machine's ethernet interface is in promiscuous mode. As you know this is the password-sniffing mechanism. So I was forced to unplug the machine from the net. Can you explain/excuse this effect in a way I can live with?
<some personal text deleted>
From scrappy () hub org Sat Feb 13 16:22:27 1999 Received: from thelab.hub.org ([142.177.190.208]) by greengenes.cit.cornell.edu (4.1/2.0) id AA25842; Sat, 13 Feb 99 16:21:51 EST Received: from localhost (scrappy@localhost) by thelab.hub.org (8.9.2/8.9.1) with ESMTP id RAA13532; Sat, 13 Feb 1999 17:21:18 -0400 (AST) (envelope-from scrappy () hub org) X-Authentication-Warning: thelab.hub.org: scrappy owned process doing -bs Date: Sat, 13 Feb 1999 17:21:18 -0400 (AST) From: The Hermit Hacker <scrappy () hub org> To: Dave Matthews <matthews () greengenes cit cornell edu> Cc: Noel Yap <noelyap () nightshade cit cornell edu> Subject: Re: unauthorized scan from you I am the Systems Administrator at Hub.Org, and owner of the machine in question... I'm running 'nmap' against a WWW generated dns file, to cull Operating System types off the Internet, with the results visible at http://www.hub.org/OS_Survey ... the software basically talks to various ports on the remote host in order to get a fingerprint of the operating system. The IPs polled are not published anywhere, only the total stats generated, and the only information that is saved from nmap is the System Type itself... The results of doing this, I'm hoping, is to provide a *very* unbiased view of the operating systems currently being used on the Internet, since it isn't ppl answering a poll, its their computers themselves... So far, its unbiased towards MicroSloth *sigh* I apologize for causing any undo-alarm, I've tried to tailor down the software to be *as* un-obtrusive as possible...when I first tried this thing out, it port scanned all 65534 ports on a host *sigh* I've cut that down to about two dozen or so, which is enough to get a relatively accurate fingerprint of the OS... There is absolutely no malicious intent in this, but the site listed above does provide a mechanism to remove your IP from future probes... On Sat, 13 Feb 1999, Dave Matthews wrote:Hi postmaster, We appear to have been SATAN-attacked from your domain. Hardware address is included in the /var/log/syslog below. - Dave ...Marc G. Fournier Systems Administrator @ hub.org primary: scrappy () hub org secondary: scrappy@{freebsd|postgresql}.org
Marc G. Fournier Systems Administrator @ hub.org primary: scrappy () hub org secondary: scrappy@{freebsd|postgresql}.org
Current thread:
- Re: unauthorized scan from you The Hermit Hacker (Feb 13)
- <Possible follow-ups>
- Re: unauthorized scan from you Dave Matthews (Feb 13)
- Re: unauthorized scan from you The Hermit Hacker (Feb 13)