Sunday, June 04, 2000
“Captain! We're being scanned!”
So I'm running monnet, a network monitor I wrote when I caught a portscan of my network, using SUNRPC. Curious, I run nmap on the offending machine and get the following:
Interesting ports on XXXXXXXX.XXXXXXXX.XXXXXXXX (XXX.XXX.XXX.XXX): Port State Protocol Service 21 open tcp ftp 23 open tcp telnet 25 open tcp smtp 53 open tcp domain 79 open tcp finger 80 open tcp http 98 open tcp linuxconf 111 open tcp sunrpc 113 open tcp auth 119 open tcp nntp 137 filtered tcp netbios-ns 138 filtered tcp netbios-dgm 139 filtered tcp netbios-ssn 513 open tcp login 514 open tcp shell 515 open tcp printer 520 filtered tcp efs 655 open tcp unknown 676 open tcp unknown 681 open tcp unknown 686 open tcp unknown 1024 open tcp unknown TCP Sequence Prediction: Class=random positive increments Difficulty=2284334 (Good luck!) Sequence numbers: C3909E99 C3E1B596 C3907551 C34F8007 C3F3F4E4 C3924E90 Remote operating system guess: Linux 2.1.122 - 2.1.130
Amazing. Simply amazing. I don't know what's worse—RedHat making their default installation so open (and it was RedHat, I checked the web server running on the box and it said as much) or that this person didn't realize what he (I checked finger and it reported back a masculine name as being logged in) got himself into when putting a RedHat box and the end of a cable modem.
So I wrote the person the following:
[spc]linus:/home/spc>telnet XXX.XXX.XXX.XXX smtp Trying XXX.XXX.XXX.XXX... Connected to XXXXXXXX.XXXXXXXX.XXXXXXXX Escape character is '^]'. 220 XXXXXXXX.XXXXXXXX.XXXXXXXXESMTP Sendmail 8.9.3/8.9.3; Sun, 4 Jun 2000 01:29:33 -0700 helo linus.slab.conman.org 250 XXXXXXXX.XXXXXXXX.XXXXXXXX Hello IDENT:XXXXXXXXXXXXXXXXXXXXXXXXX [XXX.XXX.XXX.XXX], pleased to meet you mail from:<email@example.com> 250 <firstname.lastname@example.org>... Sender ok rcpt to:<XXXXXXXX> 250 <XXXXXXXX>... Recipient ok data 354 Enter mail, end with "." on a line by itself From: email@example.com To: XXXXXXXX@XXXXXXXX.XXXXXXXX.XXXXXXXX Subject: Thanks for portscanning my network ... I'd like to thank you for port scanning my home network, especially from a system with FTP, TELNET, SMTP, DNS, FINGER, HTTP, LINUXCONF and a slew of other services open and running on your freshly installed RedHat installation of Linux. If you have no idea what I'm talking about, then let me inform you that your system may have been compromised by someone. Just letting you know. -spc . 250 BAA21935 Message accepted for delivery quit 221 XXXXXXXX.XXXXXXXX.XXXXXXXX closing connection Connection closed by foreign host. [spc]linus:/home/spc>
I'm wondering how he'll respond.