Re: is this real?

[Eric Brown <ericbrow () ziplip com>]

Michael,
I've seen this sort of openness with unpatched Cobalt servers from Sun.  They're nice in that they allow someone with 
limited knowledge and expirence set up their own web and mail server, but they're about as secure as swiss cheese.  The 
first server I ran in production was a Cobalt Raq4.  Then I started learning about network security (thanks in large 
part to this list).  Now we've switched to a much more secure setup.

Or it could be a honeypot.  It does look suspiciously open, I'll agree with you on that.

Eric


> -----Original Message-----
> From: Michael Weber [mailto:mweber () hitwin com]
> Sent: Tuesday, March 16, 2004, 9:19 AM
> To: security-basics () securityfocus com
> Subject: is this real?
>
> Hi,
>
> after the weekend i spend a few hours for a journey trough my logfiles 
> from the weekend. So i detect one IP which scan us very often and try to 
> connect to ssh. Not unusual so far... normally i do an nmap run, look on 
> the machine and forget it.
>
> But This:
>
> Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-03-15 18:30 CET
> Interesting ports on xxx.xxx.xxx.xxx:
> (The 1007 ports scanned but not shown below are in state: closed)
> PORT    STATE    SERVICE      VERSION
> 21/tcp  open     ftp?
> 22/tcp  open     ssh          SSH 1.2.33 (protocol 1.5)
> 23/tcp  open     telnet       Linux telnetd
> 25/tcp  open     smtp         Sendmail smtpd 8.11.6/8.11.0
> 53/tcp  open     domain       ISC Bind 8.2.2-P5
> 79/tcp  open     finger       Linux fingerd
> 80/tcp  open     http         Apache httpd 1.3.23 ((Unix) PHP/4.1.2)
> 109/tcp open     pop-2?
> 110/tcp open     pop3
> 135/tcp filtered msrpc
> 139/tcp filtered netbios-ssn
> 143/tcp open     imap?
> 445/tcp filtered microsoft-ds
> 513/tcp open     login?
> 514/tcp open     shell?
> 587/tcp open     smtp         Sendmail 8.11.6/8.11.0
> 707/tcp filtered unknown
>
> Could THIS be real??? Or is it a honeypot? SSH in a version older than 
> me, telnet online, finger talks to the whole world and so on.... just a 
> question because i have never seen somewhat... open... in the wild 
> before. Somewhere in Korea...
>
> regards,
> Michael
>
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
> any course! All of our class sizes are guaranteed to be 10 students or less 
> to facilitate one-on-one interaction with one of our expert instructors. 
> Attend a course taught by an expert instructor with years of in-the-field 
> pen testing experience in our state of the art hacking lab. Master the skills 
> of an Ethical Hacker to better assess the security of your organization. 
> Visit us at: 
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ----------------------------------------------------------------------------


To do is to be.  -Socrates
To be is to do.  -Satre
Do be do be do.  -Sinatra

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------