The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Sunday, June 04, 2000

Everything you wanted to know …

I found Dan Berstein's website via a Slashdot discussion on exploits. His site has a lot of good technical information about the various TCP/IP protocols like SMTP, FTP and DNS. It's worth reading.

“Captain! We're being scanned!”

So I'm running monnet, a network monitor I wrote when I caught a portscan of my network, using SUNRPC. Curious, I run nmap on the offending machine and get the following:

Port    State       Protocol  Service
21      open        tcp        ftp             
23      open        tcp        telnet          
25      open        tcp        smtp            
53      open        tcp        domain          
79      open        tcp        finger          
80      open        tcp        http            
98      open        tcp        linuxconf       
111     open        tcp        sunrpc          
113     open        tcp        auth            
119     open        tcp        nntp            
137     filtered    tcp        netbios-ns      
138     filtered    tcp        netbios-dgm     
139     filtered    tcp        netbios-ssn     
513     open        tcp        login           
514     open        tcp        shell           
515     open        tcp        printer         
520     filtered    tcp        efs             
655     open        tcp        unknown         
676     open        tcp        unknown         
681     open        tcp        unknown         
686     open        tcp        unknown         
1024    open        tcp        unknown         

TCP Sequence Prediction: Class=random positive increments
			Difficulty=2284334 (Good luck!)

Sequence numbers: C3909E99 C3E1B596 C3907551 C34F8007 C3F3F4E4 C3924E90
Remote operating system guess: Linux 2.1.122 - 2.1.130

Amazing. Simply amazing. I don't know what's worse—RedHat making their default installation so open (and it was RedHat, I checked the web server running on the box and it said as much) or that this person didn't realize what he (I checked finger and it reported back a masculine name as being logged in) got himself into when putting a RedHat box and the end of a cable modem.

So I wrote the person the following:

[spc]linus:/home/spc>telnet XXX.XXX.XXX.XXX smtp
Escape character is '^]'.
220  XXXXXXXX.XXXXXXXX.XXXXXXXXESMTP Sendmail 8.9.3/8.9.3; Sun, 4 Jun 2000 01:29:33 -0700
mail from:<>
250 <>... Sender ok
rcpt to:<XXXXXXXX>
250 <XXXXXXXX>... Recipient ok
354 Enter mail, end with "." on a line by itself
Subject: Thanks for portscanning my network ...

  I'd like to thank you for port scanning my home network, especially from
a system with FTP, TELNET, SMTP, DNS, FINGER, HTTP, LINUXCONF and a slew of
other services open and running on your freshly installed RedHat
of Linux.

  If you have no idea what I'm talking about, then let me inform you that
your system may have been compromised by someone.
 Just letting you know.


250 BAA21935 Message accepted for delivery
221 XXXXXXXX.XXXXXXXX.XXXXXXXX closing connection
Connection closed by foreign host.

I'm wondering how he'll respond.

Obligatory Picture

[The future's so bright, I gotta wear shades]

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site:, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2024 by Sean Conner. All Rights Reserved.