Date: Tue, 7 May 2002 16:46:31 +0200
From: Florian Cramer
To: Nettime
Subject: Re: PUBLIC DOMAIN SCANNER
Sender: nettime-l-request@bbs.thing.net
Precedence: bulk
Reply-To: Florian Cramer
Am Tue, 07.May.2002 um 13:14:24 +0200x schrieb knowbotic.research:
>
>
> MINDS OF CONCERN::breaking news
> http://unitedwehack.ath.cx
>
> PUBLIC DOMAIN SCANNER
> http://unitedwehack.homeunix.net/minds3/
[...]
> In the project, we are using non-invasive SECURITY scanning tools, which
> systems administrators alike use in order to detect security holes on the
> Internet servers.
unitedwehack.ath.cx
All 1549 scanned ports on (209.73.19.97) are: UNfiltered
Interesting ports on (209.73.19.97):
(The 1542 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
80/tcp open http
111/tcp open sunrpc
443/tcp open https
901/tcp open samba-swat
3306/tcp open mysql
6000/tcp open X11
+ unitedwehack.ath.cx :
. List of open ports :
o general/tcp (Security warnings found)
o general/udp (Security notes found)
o unknown (32768/tcp) (Security warnings found)
o general/icmp (Security warnings found)
. Warning found on port general/tcp
Microsoft Windows 95 and 98 clients have the ability
to bind multiple TCP/IP stacks on the same MAC address,
simply by having the protocol addded more than once
in the Network Control panel.
The remote host has several TCP/IP stacks with the
same IP binded on the same MAC adress. As a result,
it will reply several times to the same packets,
such as by sending multiple ACK to a single SYN,
creating noise on your network. If several hosts
behave the same way, then your network will be brought
down.
Solution : remove all the IP stacks except one in the remote
host
Risk factor :
Medium
. Warning found on port general/tcp
The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.
An attacker may use this feature to determine if the remote
host sent a packet in reply to another request. This may be
used for portscanning and other things.
Solution : Contact your vendor for a patch
Risk factor :
Low
. Information found on port general/udp
For your information, here is the traceroute to 209.73.19.97 :
160.45.155.1
130.133.98.2
188.1.33.33
188.1.20.5
188.1.18.110
134.222.130.229
134.222.231.5
134.222.230.17
134.222.230.6
134.222.229.238
134.222.229.234
205.171.30.145
205.171.230.22
205.171.30.86
205.171.62.2
206.252.135.2
209.73.19.65
209.73.19.97
. Warning found on port unknown (32768/tcp)
The fam RPC service is running.
Several versions of this service have
a well-known buffer oveflow condition
that allows intruders to execute
arbitrary commands as root on this system.
Solution : disable this service in /etc/inetd.conf
More information :
http://www.nai.com/nai_labs/asp_set/advisory/16_fa m_adv.asp
Risk factor : High
CVE : CVE-1999-0059
. Warning found on port general/icmp
The remote host answers to an ICMP timestamp
request. This allows an attacker to know the
date which is set on your machine.
This may help him to defeat all your
time based authentifications protocols.
Solution : filter out the icmp timestamp
requests (13), and the outgoing icmp
timestamp replies (14).
Risk factor : Low
CVE : CAN-1999-0524
Florian
# distributed via : no commercial use without permission
# is a moderated mailing list for net criticism,
# collaborative text filtering and cultural politics of the nets
# more info: majordomo@bbs.thing.net and "info nettime-l" in the msg body
# archive: http://www.nettime.org contact: nettime@bbs.thing.net
Date: Wed, 08 May 2002 10:48:42 +0200
From: "knowbotic.research"
Subject: Re: [rohrpost] PUBLIC DOMAIN SCANNER
>unitedwehack.ath.cx
>All 1549 scanned ports on (209.73.19.97) are: UNfiltered
May 5 21:00:34 on open scanner:
May 5 21:00:23 snd sshd[16010]: fatal: Read from socket failed: Connection
reset by peer
netname: CABLECOM-MAIN-NET descr: Cablecom GmbH descr: Zuerich
May 5 21:00:34 snd sshd[16032]: Failed password for illegal user su from
217.162.194.136 port 1116
May 5 21:00:39 snd sshd[16032]: fatal: Read from socket failed: Connection
reset by peer
May 6 06:14:11 snd sshd[31593]: Did not receive identification string from
211.124.245.7
Hutchison Telecommunications (Hong Kong) Limited
May 7 12:18:46 snd sshd[14426]: Did not receive identification string from
210.0.210.16
[Network Name] CWO-NET g. [Organization] City Wave Osaka Inc.
May 7 19:03:56 snd sshd[28072]: Did not receive identification string from
211.124.245.7
Freie Universitaet Berlin
May 7 19:26:24 snd sshd[31515]: Bad protocol version identification 'QUIT'
from 160.45.155.53
May 7 19:27:27 snd sshd[31728]: Did not receive identification string from
160.45.155.53
netname: DOM-NET descr: digital online media Gmbh descr: Bismarckstr. 60
descr: D-50672 Koeln
May 7 21:07:02 snd sshd[11961]: Bad protocol version identification '^D'
from 194.77.86.7