Re[2]: "portscans" (was Re: Arbor Networks DoS defense product)

[Allan Liska <allan () allan org>]

Hello,

Saturday, May 18, 2002, 7:17:43 PM, you wrote:

RD> On Sat, 18 May 2002, Scott Francis wrote:

> > And why, pray tell, would some unknown and unaffiliated person be scanning my
> > network to gather information or run recon if they were not planning on
> > attacking? I'm not saying that you're not right, I'm just saying that so far
> > I have heard no valid non-attack reasons for portscans (other than those run
> > by network admins against their own networks).

RD> I often like to know if a particular web server is running Unix or
RD> Winblows.  A port scanner is a useful tool in making that determination.

[allan@ns1 phpdig]$ telnet www.istop.com 80
Trying 216.187.106.194...
Connected to dci.doncaster.on.ca (216.187.106.194).
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Date: Sun, 19 May 2002 01:47:57 GMT
Server: Apache/1.3.22 (Unix) FrontPage/4.0.4.3 PHP/4.1.2 mod_fastcgi/2.2.8
Last-Modified: Sat, 18 May 2002 06:05:35 GMT
ETag: "68807-9ff5-3ce5ef2f"
Accept-Ranges: bytes
Content-Length: 40949
Connection: close
Content-Type: text/html

Connection closed by foreign host.


(make sure you hit [Enter] twice after the "HEAD / HTTP/1.0").  Gets
you all of the information you need, and you don't have to do a
portscan.  I have a perl script that automates the task if you would
like it, let me know.


allan
-- 
allan
allan () allan org
http://www.allan.org