Re: IRC, IM Proxy Implementations

[Mark Wilson <wilsodm () AUBURN EDU>]

I assume you mean lower case v (-v).  Anyway, here it is:
[root@willma root]# nmap -v -p 1-65535 131.204.x.x

Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use
-sP if you really don't want to portscan (and just want to see what
hosts are up).
Host  (131.204.x.x) appears to be up ... good.
Initiating SYN Stealth Scan against  (131.204.x.x)
Adding open port 135/tcp
Adding open port 389/tcp
Adding open port 47624/tcp
adjust_timeout: packet supposedly had rtt of 29375785 microseconds.
Ignoring time.
Adding open port 3009/tcp
Adding open port 113/tcp
adjust_timeout: packet supposedly had rtt of 32308562 microseconds.
Ignoring time.
Adding open port 139/tcp
Adding open port 1025/tcp
Adding open port 1720/tcp
adjust_timeout: packet supposedly had rtt of 38317143 microseconds.
Ignoring time.
adjust_timeout: packet supposedly had rtt of 25738170 microseconds.
Ignoring time.
Adding open port 3007/tcp
adjust_timeout: packet supposedly had rtt of 28683933 microseconds.
Ignoring time.
Adding open port 3008/tcp
adjust_timeout: packet supposedly had rtt of 8956551 microseconds.
Ignoring time.
Adding open port 1002/tcp
Adding open port 445/tcp
The SYN Stealth Scan took 64 seconds to scan 65535 ports.
Interesting ports on  (131.204.x.x):
(The 65523 ports scanned but not shown below are in state: closed)
Port       State       Service
113/tcp    open        auth
135/tcp    open        loc-srv
139/tcp    open        netbios-ssn
389/tcp    open        ldap
445/tcp    open        microsoft-ds
1002/tcp   open        unknown
1025/tcp   open        NFS-or-IIS
1720/tcp   open        H.323/Q.931
3007/tcp   open        unknown
3008/tcp   open        unknown
3009/tcp   open        unknown
47624/tcp  open        unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 64 seconds

thoughts?

> > > flynngn () JMU EDU 9/8/2004 11:14:58 AM >>>
Mark Wilson wrote:

> Concerning port 113, regular scans of our network for port 113 has
> uncovered many bots.  One "tool" you may wish to use is expect.  I
have
> written an expect script that telnets into port 113 and performs a
<CR>
> to get the familiar:
>
> spawn telnet 131.204.x.x 113
> Trying 131.204.x.x ...
> Connected to 131.204.x.x.
> Escape character is '^]'.
>
>  : USERID : UNIX : ggdmlnfa
> ^]
> This confirms PC is Bot-ed.
>
> After scanning port 113, dump the IPs (with port 113 open) to a
file.
> The expect script reads the IP file to "automate" the process.

Out of curiosity, has anyone tried an nmap -V on these
servers?




--
Gary Flynn
Security Engineer
James Madison University

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.