Re: unauthorized scan from you

[The Hermit Hacker <scrappy () hub org>]

Hi Dave...

        Effective upon reading this email, I have shut down the probe
until *I* can get further clarification on this as well.  

        So far as *I* knew, there is no way that I, on this end, can force
your ethernet ito promiscuous mode...it has to be done as root on the
machine itself.  I've CC'd this to the NMAP mailing list, hoping someone
else can give a good explanation for this...

        ...if it is something that I've done, then the probe will be
shutdown *permanently* effective now...I'm just confused as how it could
be something I've done.

        The only ports I'm using to get the fingerprint are those that, as
far as I'm aware, are totally public ports, and have reduced even that to
what appears to be the absolute minimum in order to get a clean
fingerprint.  Could one of these ports, if probed, have caused this?
sunrpc maybe?

hub> more /usr/local/lib/nmap/nmap-services
echo              7/tcp      # 
echo              7/udp      # 
discard           9/tcp      # sink null
discard           9/udp      # sink null
daytime           13/tcp     # 
daytime           13/udp     # 
ftp               21/tcp     # File Transfer [Control]
ftp               21/udp     # File Transfer [Control]
ssh               22/tcp     # Secure Shell Login
ssh               22/udp     # Secure Shell Login
telnet            23/tcp     # 
telnet            23/udp     # 
smtp              25/tcp     # Simple Mail Transfer
smtp              25/udp     # Simple Mail Transfer
finger            79/tcp     # 
finger            79/udp     # 
http              80/tcp     # World Wide Web HTTP
http              80/udp     # World Wide Web HTTP
pop-2             109/tcp    # PostOffice V.2
pop-2             109/udp    # PostOffice V.2
pop-3             110/tcp    # PostOffice V.3
pop-3             110/udp    # PostOffice V.3
sunrpc            111/tcp    # portmapper, rpcbind
sunrpc            111/udp    # portmapper, rpcbind
auth              113/tcp    # ident, tap, Authentication Service
auth              113/udp    # ident, tap, Authentication Service
nntp              119/tcp    # Network News Transfer Protocol
nntp              119/udp    # Network News Transfer Protocol
snmp              161/tcp    # 
snmp              161/udp    # Simple Net Mgmt Proto


 On Sat, 13 Feb 1999, Dave Matthews wrote:

> Hi Marc,  I'm a little relieved to hear this.  But I'm still anxious
> about the fact that the log says,
>
> Feb 12 21:42:43 ascus kernel: eth0: Setting promiscuous mode.
>
> and indeed that machine's ethernet interface is in promiscuous mode.
> As you know this is the password-sniffing mechanism.  So I was forced
> to unplug the machine from the net.  Can you explain/excuse this effect
> in a way I can live with?

<some personal text deleted>
 
> > From scrappy () hub org Sat Feb 13 16:22:27 1999
> > Received: from thelab.hub.org ([142.177.190.208]) by greengenes.cit.cornell.edu (4.1/2.0)
> >     id AA25842; Sat, 13 Feb 99 16:21:51 EST
> > Received: from localhost (scrappy@localhost)
> >     by thelab.hub.org (8.9.2/8.9.1) with ESMTP id RAA13532;
> >     Sat, 13 Feb 1999 17:21:18 -0400 (AST)
> >     (envelope-from scrappy () hub org)
> > X-Authentication-Warning: thelab.hub.org: scrappy owned process doing -bs
> > Date: Sat, 13 Feb 1999 17:21:18 -0400 (AST)
> > From: The Hermit Hacker <scrappy () hub org>
> > To: Dave Matthews <matthews () greengenes cit cornell edu>
> > Cc: Noel Yap <noelyap () nightshade cit cornell edu>
> > Subject: Re: unauthorized scan from you
> >
> >         I am the Systems Administrator at Hub.Org, and owner of the
> > machine in question...
> >
> >         I'm running 'nmap' against a WWW generated dns file, to cull
> > Operating System types off the Internet, with the results visible at
> > http://www.hub.org/OS_Survey ... the software basically talks to various
> > ports on the remote host in order to get a fingerprint of the operating
> > system.
> >
> >         The IPs polled are not published anywhere, only the total stats
> > generated, and the only information that is saved from nmap is the System
> > Type itself...
> >
> >         The results of doing this, I'm hoping, is to provide a *very*
> > unbiased view of the operating systems currently being used on the
> > Internet, since it isn't ppl answering a poll, its their computers
> > themselves...
> >
> >         So far, its unbiased towards MicroSloth *sigh*
> >
> >         I apologize for causing any undo-alarm, I've tried to tailor down
> > the software to be *as* un-obtrusive as possible...when I first tried this
> > thing out, it port scanned all 65534 ports on a host *sigh*  I've cut that
> > down to about two dozen or so, which is enough to get a relatively
> > accurate fingerprint of the OS...
> >
> >         There is absolutely no malicious intent in this, but the site
> > listed above does provide a mechanism to remove your IP from future
> > probes...
> >
> >
> >
> > On Sat, 13 Feb 1999, Dave Matthews wrote:
> >
> > > Hi postmaster,  We appear to have been SATAN-attacked from your domain.
> > > Hardware address is included in the /var/log/syslog below.  
> > > - Dave
> > > ...
> >     
> > Marc G. Fournier                                
> > Systems Administrator @ hub.org 
> > primary: scrappy () hub org           secondary: scrappy@{freebsd|postgresql}.org 

Marc G. Fournier                                
Systems Administrator @ hub.org 
primary: scrappy () hub org           secondary: scrappy@{freebsd|postgresql}.org