Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Probes from Microsoft

From: "Ryan W. Maple" <ryan () GUARDIANDIGITAL COM>
Date: Fri, 23 Feb 2001 19:53:53 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


For the last day or so, we have been getting probes such as this ...

  Feb 23 19:39:17 ns named[8363]: denied query from [207.68.131.17].7018 for "."
  Feb 23 19:40:16 ns last message repeated 2 times
  Feb 23 19:40:16 ns named[8363]: denied query from [207.68.131.17].9210 for "."


... which resolves to a block owned by MSN ...

  Name:    dcwu3dns1.windowsupdate.com
  Address:  207.68.131.17

  MSN (NETBLK-MSN-BLK)
     One Microsoft Way
     Redmond, WA 98052
     US

     Netname: MSN-BLK
     Netblock: 207.68.128.0 - 207.68.207.255
     Maintainer: MSN

  -- Traceroute is going through Microsoft gateway (above-gw1.microsoft.com).


... so today I decided to nmap them to see if this was some kind of joke ...

  Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
  Interesting ports on dcwu3dns1.windowsupdate.com (207.68.131.17):
  (The 1531 ports scanned but not shown below are in state: closed)
  Port       State       Service
  22/tcp     open        ssh
  53/tcp     open        domain
  443/tcp    open        https

  TCP Sequence Prediction: Class=random positive increments
                           Difficulty=46338 (Worthy challenge)
  Remote operating system guess: F5labs Big/IP HA TCP/IP Load Balancer (BSDI kernel/x86)


... so I probe the ports ...

SSH:
  SSH-1.5-1.3.7 F-SECURE SSH

DNS:
  VERSION.BIND    text = "8.2.2-P5"

HTTPS:
  "Enter username for 3-DNS at 207.68.131.17"


Now I'm not going to call up Microsoft and say "I think you are hacked"
because I don't really feel like going through all the work to find out who
to contact, and all that.  I have cc:'d secure () microsoft com on this message
so hopefully somebody there will investigate.

Has anybody else been seeing this?  I have to admit that I find this kind
of funny if this is in fact Microsoft (which all signs point to).

Cheers,
Ryan

 +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+
   Ryan W. Maple          "I dunno, I dream in Perl sometimes..."  -LW
   Guardian Digital, Inc.                     ryan () guardiandigital com
 +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE6lwYkIwAIA9MpKWcRAoO5AJ4xfyuxR0nmaen6EXOLM4CNNnMTcACfUNLN
6NhF+Rg/DrEUqXTbRyXvmoY=
=Ms0r
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: