Re: Nmap and xlogmaster

[Steve Palmer <spalmer () leo gov>]

My  NID kicks off a shell script that does an nslookup, whois' (arin, apnic,
nic.mil, nic.gov, and internic), does an nmap probe, then emails me the
results.  Then the NID adds the IP to a list.  Each time the NID picks up a
probe it checks the list, if the IP is already in the list, it doesn't run the
script, but the event is logged.  Every night i delete the list, so it starts
fresh everyday.

Steve Palmer

PS    For anyone who cares to  hear my empassioned plea for help !!

I am compiling quite a rather large list of sites that I will put up on a
website one day.  I seem to get hit from Brazil, and Mexico a lot.  Most often
they are linux boxes.  They try to do a zone xfer,finger, cgi-bin stuff,
telnet, pop, imap, and occasionally one or two more ports.  Anyway, here is my
desperate plea...
I would like to get my hands on the tool that they are using.  I am assuming
that
they don't use thier DNS servers to launch probes from, and I am also assuming
that the sites are not spoofed because they seem to be pretty wide open Linux
boxes often running imap, pop, which have had some problems.  So I am assUMEing
that some of these sites are owned.  I thought the tool might be mscan, sscan,
or some variant, but I have not yet been able to reproduce the desired "#" (in
my lab of course).  If anyone could point me in the right direction, I would
greatly appriciate it.



Lamont Granquist wrote:

> it would also be a good idea to put this into a script and have it choke
> the number of scans it will do based both on how often it scans a
> particular machine and how often it issues scans to any machines.  that
> way you don't get used by a spoofer to DoS someone else via using your
> machine as a "bandwidth multiplier."  it should of course log the fact
> that it is choking, and it should be careful not to fill your disk up.
>
> also, i'm a little bit worried that nmap is getting to be a large and
> complicated program and may have exploitable security holes in it.  when
> doing booby-traps like this you always have to consider that someone may
> attack you by setting off the booby-trap and then supplying the program
> with, say, a buffer overflow which will compromise your security.  this is
> why tcp_wrappers ships with the safe_finger program for you to use in
> booby-traps since it has likely undergone a better security audit than the
> finger program on your machine.
>
> On Thu, 28 Jan 1999, Max Vision wrote:
> > On Thu, 28 Jan 1999, Erik Parker wrote:
> > > So.. Using xlogmaster, anytime it see's "ssh connection attempt" it
> > > executes /root/program
> > >
> > > /root/program contains:
> > >
> > > tail /var/log/messages | grep -i "ssh connection attempt from" |awk
> > > '{print $10}'|xargs nmap -O >> /root/nmaplog
> >
> > First to answer your questions, to get the actual fingerprint use -d.  As
> > for the append option, use >>.
> >
> > Now to address your "/root/program" script... there are several problems
> > that I would hate to see you run into.  What if there are, say, five
> > connections to your ssh port, each right after the other, thus fitting
> > into the last ten lines of /var/log/messages (which is what tail grabs by
> > default).  This would cause your program, on the fifth catch, to have
> > run a full portscan against a host(s) 15 times.
> > Not that I would condone the use of your script above, but one way to at
> > least limit scanning to just one host would be to change it to:
> > tail /var/log/messages |grep -i "ssh connection atte"|awk '{print $10}'|\
> > tail -1|xargs nmap -O -sS -p 22,25,53,80,139 >> /root/nmaplog
> >
> > Note that I also suggest adding a port range since that will catch and ID
> > like 99% of the hosts out there.
> >
> > Good luck!
> > Max
>
> --
> Lamont Granquist                       lamontg () raven genome washington edu
> Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
> Box 352145 / University of Washington / Seattle, WA 98195
> PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka