Nmap Announce mailing list archives
RE: Detected NMAP scan
From: Lamont Granquist <lamontg () raven genome washington edu>
Date: Wed, 6 Jan 1999 13:22:38 -0800
On Wed, 6 Jan 1999, Frank W. Keeney wrote:
I get scanned at least ten times a week! With the 1.x versions of nmap, Linux ipfwadm successfully logged all stealth scans in my lab.
Yup, but one stealth scan looks an awful lot like another. I posted this because it had the signature port 80 ACK sweep in conjunction with an ICMP ping scan which only nmap 2 does...
---------- From: Lamont Granquist [SMTP:lamontg () raven genome washington edu] Sent: Wednesday, January 06, 1999 12:40 PM To: nmap-hackers () insecure org Subject: Detected NMAP scan So, on Jan 3rd a machine that I admin got scanned, and with the ipfw.c hack that I posted previously, I recorded the following packets, suggesting that it was someone with nmap2. I thought I'd post it here as a sighting of nmap "in the wild": Jan 3 04:16:14 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP 148.81.145.199:62233 192.168.0.1:80 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8 148.81.145.199 192.168.0.1 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8 148.81.145.199 192.168.0.1 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8 148.81.145.199 192.168.0.1 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP 148.81.145.199:62234 192.168.0.1:80 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP 148.81.145.199:62235 192.168.0.1:80 I've also identified people doing SYN scans of port 635 which is where mountd often/normally resides on a linux system.
-- Lamont Granquist lamontg () raven genome washington edu Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344 Box 352145 / University of Washington / Seattle, WA 98195 PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka
Current thread:
- RE: Detected NMAP scan Frank W. Keeney (Jan 06)
- RE: Detected NMAP scan joff (Jan 06)
- RE: Detected NMAP scan David G. Andersen (Jan 06)
- RE: Detected NMAP scan Lamont Granquist (Jan 06)
- RE: Detected NMAP scan Lance Spitzner (Jan 06)
- RE: Detected NMAP scan Jordan Ritter (Jan 06)
- RE: Detected NMAP scan Simple Nomad (Jan 06)
- RE: Detected NMAP scan David G. Andersen (Jan 06)
- Re: Detected NMAP scan Dave Packham (Jan 06)
- Re: Detected NMAP scan joff (Jan 06)
- RE: Detected NMAP scan joff (Jan 06)
- RE: Detected NMAP scan Lamont Granquist (Jan 06)
- RE: Detected NMAP scan Max Vision (Jan 06)
- Re: Detected NMAP scan Chris Tobkin (Jan 06)
- <Possible follow-ups>
- RE: Detected NMAP scan wanb0y (Jan 06)