Nmap Announce mailing list archives
RE: Detected NMAP scan
From: Max Vision <vision () whitehats com>
Date: Wed, 6 Jan 1999 13:22:31 -0800 (PST)
The scanning party in the example shown would have been wiser to at least use "-g 20" (it can only help). Also everyone concerned about watching for scans in their logs should keep in mind how easy it is to spoof a scan "-e eth0 -S www.whitehouse.gov". Of course they aren't getting any information, but there are people out there who enjoy disinformation, or like to cause trouble. Also even if the ip scanning you is the correct one, odds are in this day that it's an 0wned linux machine, and the rightful admin has no clue it's occuring. They should be notified, but probably not accused. Just some considerations... Max On Wed, 6 Jan 1999, Frank W. Keeney wrote:
I get scanned at least ten times a week! With the 1.x versions of nmap, Linux ipfwadm successfully logged all stealth scans in my lab. ---------- From: Lamont Granquist [SMTP:lamontg () raven genome washington edu] Sent: Wednesday, January 06, 1999 12:40 PM To: nmap-hackers () insecure org Subject: Detected NMAP scan So, on Jan 3rd a machine that I admin got scanned, and with the ipfw.c hack that I posted previously, I recorded the following packets, suggesting that it was someone with nmap2. I thought I'd post it here as a sighting of nmap "in the wild": Jan 3 04:16:14 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP 148.81.145.199:62233 192.168.0.1:80 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8 148.81.145.199 192.168.0.1 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8 148.81.145.199 192.168.0.1 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8 148.81.145.199 192.168.0.1 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP 148.81.145.199:62234 192.168.0.1:80 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP 148.81.145.199:62235 192.168.0.1:80 I've also identified people doing SYN scans of port 635 which is where mountd often/normally resides on a linux system.
Current thread:
- RE: Detected NMAP scan Frank W. Keeney (Jan 06)
- RE: Detected NMAP scan joff (Jan 06)
- RE: Detected NMAP scan David G. Andersen (Jan 06)
- RE: Detected NMAP scan Lamont Granquist (Jan 06)
- RE: Detected NMAP scan Lance Spitzner (Jan 06)
- RE: Detected NMAP scan Jordan Ritter (Jan 06)
- RE: Detected NMAP scan Simple Nomad (Jan 06)
- RE: Detected NMAP scan David G. Andersen (Jan 06)
- Re: Detected NMAP scan Dave Packham (Jan 06)
- Re: Detected NMAP scan joff (Jan 06)
- RE: Detected NMAP scan joff (Jan 06)
- RE: Detected NMAP scan Lamont Granquist (Jan 06)
- RE: Detected NMAP scan Max Vision (Jan 06)
- Re: Detected NMAP scan Chris Tobkin (Jan 06)
- <Possible follow-ups>
- RE: Detected NMAP scan wanb0y (Jan 06)