Nmap Announce mailing list archives
Detected NMAP scan
From: Lamont Granquist <lamontg () raven genome washington edu>
Date: Wed, 6 Jan 1999 12:40:22 -0800
So, on Jan 3rd a machine that I admin got scanned, and with the ipfw.c hack that I posted previously, I recorded the following packets, suggesting that it was someone with nmap2. I thought I'd post it here as a sighting of nmap "in the wild": Jan 3 04:16:14 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP 148.81.145.199:62233 192.168.0.1:80 L=40 S=0x00 I=57305 F=0x0000 T=49 seq=0xEA70 ack=0x0000 win=0x1000 urp=0x0000 flags=...A.... Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8 148.81.145.199 192.168.0.1 L=28 S=0x00 I=32906 F=0x0000 T=49 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8 148.81.145.199 192.168.0.1 L=28 S=0x00 I=45981 F=0x0000 T=49 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8 148.81.145.199 192.168.0.1 L=28 S=0x00 I=49813 F=0x0000 T=49 Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP 148.81.145.199:62234 192.168.0.1:80 L=40 S=0x00 I=19314 F=0x0000 T=49 seq=0xDD00 ack=0x0000 win=0x1000 urp=0x0000 flags=...A.... Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP 148.81.145.199:62235 192.168.0.1:80 L=40 S=0x00 I=14504 F=0x0000 T=49 seq=0x7CB8 ack=0x0000 win=0x1000 urp=0x0000 flags=...A.... I've also identified people doing SYN scans of port 635 which is where mountd often/normally resides on a linux system. -- Lamont Granquist lamontg () raven genome washington edu Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344 Box 352145 / University of Washington / Seattle, WA 98195 PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka
Current thread:
- Fingerprint? Takacs Istvan (Jan 05)
- Re: Fingerprint? //Stany (Jan 05)
- Re: Fingerprint? Takacs Istvan (Jan 06)
- Detected NMAP scan Lamont Granquist (Jan 06)
- Re: Fingerprint? Takacs Istvan (Jan 06)
- Re: Fingerprint? //Stany (Jan 05)