* * * * *

                       “Captain! We're being scanned!”

So I'm running monnet, a network monitor I wrote when I caught a portscan of
my network, using SUNRPC. Curious, I run nmap on the offending machine and
get the following:

-----[ data ]-----
Interesting ports on XXXXXXXX.XXXXXXXX.XXXXXXXX (XXX.XXX.XXX.XXX):
Port    State       Protocol  Service
21      open        tcp        ftp
23      open        tcp        telnet
25      open        tcp        smtp
53      open        tcp        domain
79      open        tcp        finger
80      open        tcp        http
98      open        tcp        linuxconf
111     open        tcp        sunrpc
113     open        tcp        auth
119     open        tcp        nntp
137     filtered    tcp        netbios-ns
138     filtered    tcp        netbios-dgm
139     filtered    tcp        netbios-ssn
513     open        tcp        login
514     open        tcp        shell
515     open        tcp        printer
520     filtered    tcp        efs
655     open        tcp        unknown
676     open        tcp        unknown
681     open        tcp        unknown
686     open        tcp        unknown
1024    open        tcp        unknown

TCP Sequence Prediction: Class=random positive increments
                       Difficulty=2284334 (Good luck!)

Sequence numbers: C3909E99 C3E1B596 C3907551 C34F8007 C3F3F4E4 C3924E90
Remote operating system guess: Linux 2.1.122 - 2.1.130
-----[ END OF LINE ]-----

Amazing. Simply amazing. I don't know what's worse—RedHat [1] making their
default installation so open (and it was RedHat, I checked the web server
running on the box and it said as much) or that this person didn't realize
what he (I checked finger and it reported back a masculine name as being
logged in) got himself into when putting a RedHat box and the end of a cable
modem.

So I wrote the person the following:

-----[ shell ]-----
[spc]linus:/home/spc>telnet XXX.XXX.XXX.XXX smtp
Trying XXX.XXX.XXX.XXX...
Connected to XXXXXXXX.XXXXXXXX.XXXXXXXX
Escape character is '^]'.
220  XXXXXXXX.XXXXXXXX.XXXXXXXXESMTP Sendmail 8.9.3/8.9.3; Sun, 4 Jun 2000 01:29:33 -0700
helo linus.slab.conman.org
250 XXXXXXXX.XXXXXXXX.XXXXXXXX Hello IDENT:XXXXXXXXXXXXXXXXXXXXXXXXX [XXX.XXX.XXX.XXX], pleased to meet you
mail from:<[email protected]>
250 <[email protected]>... Sender ok
rcpt to:<XXXXXXXX>
250 <XXXXXXXX>... Recipient ok
data
354 Enter mail, end with "." on a line by itself
From: [email protected]
To: [email protected]
Subject: Thanks for portscanning my network ...

 I'd like to thank you for port scanning my home network, especially from
a system with FTP, TELNET, SMTP, DNS, FINGER, HTTP, LINUXCONF and a slew of
other services open and running on your freshly installed RedHat
installation
of Linux.

 If you have no idea what I'm talking about, then let me inform you that
your system may have been compromised by someone.
Just letting you know.

 -spc


250 BAA21935 Message accepted for delivery
quit
221 XXXXXXXX.XXXXXXXX.XXXXXXXX closing connection
Connection closed by foreign host.
[spc]linus:/home/spc>
-----[ END OF LINE ]-----

I'm wondering how he'll respond.

[1] http://www.redhat.com/

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.