Educause Security Discussion mailing list archives
Re: IRC, IM Proxy Implementations
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 8 Sep 2004 13:41:43 -0400
Mark Wilson wrote:
I assume you mean lower case v (-v). Anyway, here it is: [root@willma root]# nmap -v -p 1-65535 131.204.x.x
Nope. Upper case V. In nmap 3.5 and later, the -V option performs a variety of things to attempt to identify the service listening on open ports that are found. If it doesn't recognize the service, it prints a fingerprint that can be submitted to the developer along with information about the service so it will be included in the next version (at least it did in 3.5, I just tried to produce it in 3.55 and it didn't print the unknown fingerprint). It would seem to be a very useful tool for malware detection and identification if we could update the signature database rapidly. That is why I was wondering if you'd tried it on the malware services listening on the auth port. Output looks like this: PORT STATE SERVICE VERSION 21/tcp open ftp NcFTPd 22/tcp open ssh OpenSSH 3.6.1p2 (protocol 2.0) 80/tcp open http Apache httpd 2.0.49 ((Unix)) 111/tcp open rpcbind 2 (rpc #100000) 199/tcp open smux Linux SNMP multiplexer 7937/tcp open nsrexec 1 (rpc #390113) 32768/tcp open status 1 (rpc #100024) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS webserver 6.0 135/tcp open msrpc Microsoft Windows msrpc 139/tcp open netbios-ssn 443/tcp open https? 445/tcp open microsoft-ds Microsoft Windows 2003 microsoft-ds 1025/tcp open msrpc Microsoft Windows msrpc 1026/tcp open msrpc Microsoft Windows msrpc 1037/tcp open msrpc Microsoft Windows msrpc 1055/tcp open unknown 1311/tcp open securetransport Tumbleweed SecureTransport Transaction Manager Secure Port 3389/tcp open microsoft-rdp Microsoft Terminal Service (Windows 2000 Server) 5881/tcp open vnc-http WinVNC (Server: XXXX; Resolution 1024x800; VNC TCP port: 5981; May be standard or TightVNC) 5981/tcp open vnc VNC (protocol 3.3) 6288/tcp open http Microsoft IIS webserver 6.0 8000/tcp open http-alt? 8009/tcp open ajp13? 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.0 8443/tcp open msdtc Microsoft Distributed Transaction Coordinator And on the auth port: (I'd better check these now) 113/open/tcp//ident//Internet Rex identd/ 113/open/tcp//ident//Internet Rex identd/ 113/open/tcp//auth?/// 113/open/tcp//auth?/// 113/open/tcp//auth?/// 113/open/tcp//ident//Internet Rex identd/ 113/open/tcp//auth?/// 113/open/tcp//auth?/// 113/open/tcp//auth?/// 113/open/tcp//ident//Liedentd (Claimed user: XXXX)/ 113/open/tcp//ident//Internet Rex identd/ 113/open/tcp//ident//Internet Rex identd/ 113/open/tcp//ident//OpenBSD identd/ Again, it didn't print the signature when the service was unknown as I expected it to and as it did in 3.5. Maybe its an option on 3.55. -- Gary Flynn Security Engineer James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: IRC, IM Proxy Implementations, (continued)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Hearn, David L. (Sep 08)
- Re: IRC, IM Proxy Implementations Daniel Adinolfi (Sep 08)
- Re: IRC, IM Proxy Implementations Richard Gadsden (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)
- Re: IRC, IM Proxy Implementations Justin Azoff (Sep 08)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 08)
- Re: IRC, IM Proxy Implementations Herrera Reyna Omar (Sep 08)
- Re: IRC, IM Proxy Implementations Eric Pancer (Sep 08)
- Re: IRC, IM Proxy Implementations Gary Flynn (Sep 08)
- Re: IRC, IM Proxy Implementations H. Morrow Long (Sep 08)
- Re: IRC, IM Proxy Implementations Mark Wilson (Sep 08)