Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: Mark Wilson <wilsodm () AUBURN EDU>
Date: Wed, 8 Sep 2004 11:53:07 -0500
I assume you mean lower case v (-v). Anyway, here it is: [root@willma root]# nmap -v -p 1-65535 131.204.x.x Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up). Host (131.204.x.x) appears to be up ... good. Initiating SYN Stealth Scan against (131.204.x.x) Adding open port 135/tcp Adding open port 389/tcp Adding open port 47624/tcp adjust_timeout: packet supposedly had rtt of 29375785 microseconds. Ignoring time. Adding open port 3009/tcp Adding open port 113/tcp adjust_timeout: packet supposedly had rtt of 32308562 microseconds. Ignoring time. Adding open port 139/tcp Adding open port 1025/tcp Adding open port 1720/tcp adjust_timeout: packet supposedly had rtt of 38317143 microseconds. Ignoring time. adjust_timeout: packet supposedly had rtt of 25738170 microseconds. Ignoring time. Adding open port 3007/tcp adjust_timeout: packet supposedly had rtt of 28683933 microseconds. Ignoring time. Adding open port 3008/tcp adjust_timeout: packet supposedly had rtt of 8956551 microseconds. Ignoring time. Adding open port 1002/tcp Adding open port 445/tcp The SYN Stealth Scan took 64 seconds to scan 65535 ports. Interesting ports on (131.204.x.x): (The 65523 ports scanned but not shown below are in state: closed) Port State Service 113/tcp open auth 135/tcp open loc-srv 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 1002/tcp open unknown 1025/tcp open NFS-or-IIS 1720/tcp open H.323/Q.931 3007/tcp open unknown 3008/tcp open unknown 3009/tcp open unknown 47624/tcp open unknown Nmap run completed -- 1 IP address (1 host up) scanned in 64 seconds thoughts?
flynngn () JMU EDU 9/8/2004 11:14:58 AM >>>
Mark Wilson wrote:
Concerning port 113, regular scans of our network for port 113 has uncovered many bots. One "tool" you may wish to use is expect. I
have
written an expect script that telnets into port 113 and performs a
<CR>
to get the familiar: spawn telnet 131.204.x.x 113 Trying 131.204.x.x ... Connected to 131.204.x.x. Escape character is '^]'. : USERID : UNIX : ggdmlnfa ^] This confirms PC is Bot-ed. After scanning port 113, dump the IPs (with port 113 open) to a
file.
The expect script reads the IP file to "automate" the process.
Out of curiosity, has anyone tried an nmap -V on these servers? -- Gary Flynn Security Engineer James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations John Kristoff (Sep 03)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 03)
- Re: IRC, IM Proxy Implementations Mike Porter (Sep 05)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Hearn, David L. (Sep 08)
- Re: IRC, IM Proxy Implementations Daniel Adinolfi (Sep 08)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 08)
- Re: IRC, IM Proxy Implementations Herrera Reyna Omar (Sep 08)
- Re: IRC, IM Proxy Implementations Eric Pancer (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)