Nmap Announce mailing list archives

RE: Detected NMAP scan

From: Max Vision <vision () whitehats com>
Date: Wed, 6 Jan 1999 13:22:31 -0800 (PST)

The scanning party in the example shown would have been wiser to at least
use "-g 20" (it can only help).

Also everyone concerned about watching for scans in their logs should keep
in mind how easy it is to spoof a scan "-e eth0 -S www.whitehouse.gov". 
Of course they aren't getting any information, but there are people out
there who enjoy disinformation, or like to cause trouble.  Also even if
the ip scanning you is the correct one, odds are in this day that it's an
0wned linux machine, and the rightful admin has no clue it's occuring. 
They should be notified, but probably not accused.

Just some considerations...
Max

On Wed, 6 Jan 1999, Frank W. Keeney wrote:

I get scanned at least ten times a week!

With the 1.x versions of nmap, Linux ipfwadm successfully logged all
stealth scans in my lab.

      ----------
      From:  Lamont Granquist
[SMTP:lamontg () raven genome washington edu]
      Sent:  Wednesday, January 06, 1999 12:40 PM
      To:  nmap-hackers () insecure org
      Subject:  Detected NMAP scan


      So, on Jan 3rd a machine that I admin got scanned, and with the
ipfw.c
      hack that I posted previously, I recorded the following packets,
      suggesting that it was someone with nmap2.  I thought I'd post
it here as
      a sighting of nmap "in the wild":

      Jan  3 04:16:14 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
148.81.145.199:62233 192.168.0.1:80
      Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
148.81.145.199 192.168.0.1
      Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
148.81.145.199 192.168.0.1
      Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
148.81.145.199 192.168.0.1
      Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
148.81.145.199:62234 192.168.0.1:80
      Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
148.81.145.199:62235 192.168.0.1:80

      I've also identified people doing SYN scans of port 635 which is
where
      mountd often/normally resides on a linux system.

Current thread:

RE: Detected NMAP scan Frank W. Keeney (Jan 06)
- RE: Detected NMAP scan joff (Jan 06)
  - RE: Detected NMAP scan David G. Andersen (Jan 06)
    - RE: Detected NMAP scan Lamont Granquist (Jan 06)
    - RE: Detected NMAP scan Lance Spitzner (Jan 06)
    - RE: Detected NMAP scan Jordan Ritter (Jan 06)
    - RE: Detected NMAP scan Simple Nomad (Jan 06)
  - Re: Detected NMAP scan Dave Packham (Jan 06)
    - Re: Detected NMAP scan joff (Jan 06)
- RE: Detected NMAP scan Lamont Granquist (Jan 06)
- RE: Detected NMAP scan Max Vision (Jan 06)
  - Re: Detected NMAP scan Chris Tobkin (Jan 06)
- <Possible follow-ups>
- RE: Detected NMAP scan wanb0y (Jan 06)