RE: Host identification

["Daniel I. Didier" <ddidier () netsecureia com>]

Cedric,
Did you verify the service is WebLogic?  The very popular Linux
administration tool, Webmin, also runs on port 10000 -Dan

http://www.NetSecureIA.com

> -----Original Message-----
> From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
> On Behalf Of Cedric Staub
> Sent: Friday, August 01, 2008 3:23 PM
> To: security-basics () securityfocus com
> Subject: Host identification
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello everybody
>
> I recently started scanning the /24 subnets I get assigned
> to everytime I connect to my ISP, because I was curious
> whether my 'virtual neighbours' were running any services.
> Now, everytime I do a scan, I see at least a couple of
> machines with an open port 10000, running WebLogic,
> which seems to be a product from Oracle. I don't think
> 'home users' would use such a product (but maybe I'm
> wrong), and was thinking that those were perhaps
> part of my ISP's infrastructure. Now I'm curious, what
> do you think those machines could be good for, what
> is their purpose? And why do I always see at least
> three or four of them? I attached a full nmap scan below.
>
> Thank you for any pointers!
>
> Sincerely,
> Cedric
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFIk2J8v0D9btKF36sRAtR0AKC4pk1A6yeaJ7ilE43UHdnOG1kYuQCgiQ6d
> NoH3J5WLd8a1eU/8QghM57k=
> =BVSo
> -----END PGP SIGNATURE-----
------------------------------------------------------------------------
--
> -----
>
> # nmap -T Aggressive -A -v TARGET
> Starting Nmap 4.53 ( http://insecure.org ) at 2008-08-01 20:48 CEST
> Initiating Ping Scan at 20:48
> Scanning TARGET [2 ports]
> Completed Ping Scan at 20:48, 0.03s elapsed (1 total hosts)
> Initiating Parallel DNS resolution of 1 host. at 20:48
> Completed Parallel DNS resolution of 1 host. at 20:48, 0.02s elapsed
> Initiating SYN Stealth Scan at 20:48
> Scanning HOSTNAME (TARGET) [1714 ports]
> Discovered open port 10000/tcp on TARGET
> Completed SYN Stealth Scan at 20:48, 6.00s elapsed (1714 total ports)
> Initiating Service scan at 20:48
> Scanning 1 service on HOSTNAME (TARGET)
> Completed Service scan at 20:48, 6.08s elapsed (1 service on 1 host)
> Initiating OS detection (try #1) against HOSTNAME (TARGET)
> Retrying OS detection (try #2) against HOSTNAME (TARGET)
> Retrying OS detection (try #3) against HOSTNAME (TARGET)
> Retrying OS detection (try #4) against HOSTNAME (TARGET)
> Retrying OS detection (try #5) against HOSTNAME (TARGET)
> TARGET: guessing hop distance at 2
> Initiating Traceroute at 20:48
> Completed Traceroute at 20:48, 0.05s elapsed
> Initiating Parallel DNS resolution of 4 hosts. at 20:48
> Completed Parallel DNS resolution of 4 hosts. at 20:48, 0.02s elapsed
> SCRIPT ENGINE: Initiating script scanning.
> Host HOSTNAME (TARGET) appears to be up ... good.
> Interesting ports on HOSTNAME (TARGET):
> Not shown: 1710 closed ports
> PORT      STATE    SERVICE     VERSION
> 23/tcp    filtered telnet
> 1720/tcp  filtered H.323/Q.931
> 8080/tcp  filtered http-proxy
> 10000/tcp open     http        WebLogic httpd
> No exact OS matches for host (If you know what OS is running on it,
> see http://insecure.org/nmap/submit/ ).
> TCP/IP fingerprint:
OS:SCAN(V=4.53%D=8/1%OT=10000%CT=1%CU=38732%PV=N%DS=2%G=Y%TM=48935A96%P=
i6
> 8
> OS:6-pc-linux-
> gnu)SEQ(SP=22%GCD=1%ISR=50%TI=I%TS=U)SEQ(SP=16%GCD=1%ISR=50%T
OS:I=I%TS=U)SEQ(SP=24%GCD=1%ISR=50%TI=I%TS=U)SEQ(SP=0%GCD=64%ISR=50%TI=I
%T
> S
OS:=U)SEQ(SP=17%GCD=1%ISR=50%TI=I%TS=U)OPS(O1=M578%O2=M578%O3=M280%O4=M5
78
> %
OS:O5=M218%O6=M109)WIN(W1=1770%W2=1770%W3=1770%W4=1770%W5=1770%W6=1770)E
CN
> (
OS:R=Y%DF=Y%T=40%W=1770%O=M578%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD
=0
> %
OS:Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=1770%S=O%A=S+%F=AS%O=M109%RD=0%Q=)T4(R=Y
%D
> F
OS:=N%T=40%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR
%O
> =
OS:%RD=0%Q=)T6(R=Y%DF=N%T=40%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=N%T=40
%W
> =
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%TOS=0%IPL=38%UN=0%RIPL=G%
RI
> D
> OS:=G%RIPCK=G%RUCK=6245%RUL=G%RUD=G)IE(R=N)
>
>
> Network Distance: 2 hops
> TCP Sequence Prediction: Difficulty=23 (Good luck!)
> IP ID Sequence Generation: Incremental
>
> TRACEROUTE (using port 10000/tcp)
> HOP RTT   ADDRESS
> 1   1.33  ...
> 2   14.85 ... (...)
> 3   20.71 HOSTNAME (TARGET)
>
> Read data files from: /usr/share/nmap
> OS and Service detection performed. Please report any incorrect
> results at http://insecure.org/nmap/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 24.857 seconds
>            Raw packets sent: 1878 (87.982KB) | Rcvd: 1791 (72.646KB)