Nmap Announce mailing list archives
Re: Nmap and xlogmaster
From: Steve Palmer <spalmer () leo gov>
Date: Fri, 29 Jan 1999 01:31:34 -0500
My NID kicks off a shell script that does an nslookup, whois' (arin, apnic, nic.mil, nic.gov, and internic), does an nmap probe, then emails me the results. Then the NID adds the IP to a list. Each time the NID picks up a probe it checks the list, if the IP is already in the list, it doesn't run the script, but the event is logged. Every night i delete the list, so it starts fresh everyday. Steve Palmer PS For anyone who cares to hear my empassioned plea for help !! I am compiling quite a rather large list of sites that I will put up on a website one day. I seem to get hit from Brazil, and Mexico a lot. Most often they are linux boxes. They try to do a zone xfer,finger, cgi-bin stuff, telnet, pop, imap, and occasionally one or two more ports. Anyway, here is my desperate plea... I would like to get my hands on the tool that they are using. I am assuming that they don't use thier DNS servers to launch probes from, and I am also assuming that the sites are not spoofed because they seem to be pretty wide open Linux boxes often running imap, pop, which have had some problems. So I am assUMEing that some of these sites are owned. I thought the tool might be mscan, sscan, or some variant, but I have not yet been able to reproduce the desired "#" (in my lab of course). If anyone could point me in the right direction, I would greatly appriciate it. Lamont Granquist wrote:
it would also be a good idea to put this into a script and have it choke the number of scans it will do based both on how often it scans a particular machine and how often it issues scans to any machines. that way you don't get used by a spoofer to DoS someone else via using your machine as a "bandwidth multiplier." it should of course log the fact that it is choking, and it should be careful not to fill your disk up. also, i'm a little bit worried that nmap is getting to be a large and complicated program and may have exploitable security holes in it. when doing booby-traps like this you always have to consider that someone may attack you by setting off the booby-trap and then supplying the program with, say, a buffer overflow which will compromise your security. this is why tcp_wrappers ships with the safe_finger program for you to use in booby-traps since it has likely undergone a better security audit than the finger program on your machine. On Thu, 28 Jan 1999, Max Vision wrote:On Thu, 28 Jan 1999, Erik Parker wrote:So.. Using xlogmaster, anytime it see's "ssh connection attempt" it executes /root/program /root/program contains: tail /var/log/messages | grep -i "ssh connection attempt from" |awk '{print $10}'|xargs nmap -O >> /root/nmaplogFirst to answer your questions, to get the actual fingerprint use -d. As for the append option, use >>. Now to address your "/root/program" script... there are several problems that I would hate to see you run into. What if there are, say, five connections to your ssh port, each right after the other, thus fitting into the last ten lines of /var/log/messages (which is what tail grabs by default). This would cause your program, on the fifth catch, to have run a full portscan against a host(s) 15 times. Not that I would condone the use of your script above, but one way to at least limit scanning to just one host would be to change it to: tail /var/log/messages |grep -i "ssh connection atte"|awk '{print $10}'|\ tail -1|xargs nmap -O -sS -p 22,25,53,80,139 >> /root/nmaplog Note that I also suggest adding a port range since that will catch and ID like 99% of the hosts out there. Good luck! Max-- Lamont Granquist lamontg () raven genome washington edu Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344 Box 352145 / University of Washington / Seattle, WA 98195 PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka
Current thread:
- Nmap and xlogmaster Erik Parker (Jan 28)
- Re: Nmap and xlogmaster Max Vision (Jan 28)
- Re: Nmap and xlogmaster Adam Shostack (Jan 28)
- Re: Nmap and xlogmaster Lamont Granquist (Jan 28)
- Re: Nmap and xlogmaster Erik Parker (Jan 28)
- Re: Nmap and xlogmaster HD Moore (Jan 28)
- Re: Nmap and xlogmaster Lamont Granquist (Jan 29)
- Re: Nmap and xlogmaster Steve Palmer (Jan 28)
- Re: Nmap and xlogmaster Lamont Granquist (Jan 29)
- Re: Nmap and xlogmaster Dave Dittrich (Jan 29)
- Re: Nmap and xlogmaster Max Vision (Jan 28)