Thursday, March 4, 2004 @ 9:19:39 AM Central Standard Time Hello Again. Here is a nmap of 65.41.113.74 (heritageweb.org) Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2004-03-04 09:33 CST Interesting ports on user74.net692.mn.sprint-hsd.net (65.41.113.74): (The 1652 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 3.6.1p2 (protocol 1.99) 25/tcp open smtp? 80/tcp open http Apache httpd 2.0.48 ((Fedora)) 109/tcp open pop-2? 110/tcp open pop3 UW Imap pop3 server 2003.83rh 2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port25-TCP:V=3.45%D=3/4%Time=40474CD2%r(RTSPRequest,B8,"220\x20heritage SF:7\.heritageweb\.org\x20ESMTP\x20Sendmail\x208\.12\.10/8\.12\.10;\x20Thu SF:,\x204\x20Mar\x202004\x2009:30:22\x20-0600\r\n500\x205\.5\.1\x20Command SF:\x20unrecognized:\x20\"OPTIONS\x20/\x20RTSP/1\.0\"\r\n500\x205\.5\.1\x2 SF:0Command\x20unrecognized:\x20\"\"\r\n")%r(RPCCheck,5E,"220\x20heritage7 SF:\.heritageweb\.org\x20ESMTP\x20Sendmail\x208\.12\.10/8\.12\.10;\x20Thu, SF:\x204\x20Mar\x202004\x2009:30:26\x20-0600\r\n")%r(DNSStatusRequest,5E," SF:220\x20heritage7\.heritageweb\.org\x20ESMTP\x20Sendmail\x208\.12\.10/8\ SF:.12\.10;\x20Thu,\x204\x20Mar\x202004\x2009:30:37\x20-0600\r\n")%r(SSLSe SF:ssionReq,84,"220\x20heritage7\.heritageweb\.org\x20ESMTP\x20Sendmail\x2 SF:08\.12\.10/8\.12\.10;\x20Thu,\x204\x20Mar\x202004\x2009:30:44\x20-0600\ SF:r\n500\x205\.5\.1\x20Command\x20unrecognized:\x20\"\x16\x03\"\r\n")%r(S SF:MBProgNeg,5E,"220\x20heritage7\.heritageweb\.org\x20ESMTP\x20Sendmail\x SF:208\.12\.10/8\.12\.10;\x20Thu,\x204\x20Mar\x202004\x2009:30:49\x20-0600 SF:\r\n")%r(X11Probe,5E,"220\x20heritage7\.heritageweb\.org\x20ESMTP\x20Se SF:ndmail\x208\.12\.10/8\.12\.10;\x20Thu,\x204\x20Mar\x202004\x2009:30:55\ SF:x20-0600\r\n"); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port109-TCP:V=3.45%D=3/4%Time=40474CB8%r(NULL,2A,"\+\x20POP2\x20heritag SF:e7\x20v2003\.66rh\x20server\x20ready\r\n")%r(GenericLines,45,"\+\x20POP SF:2\x20heritage7\x20v2003\.66rh\x20server\x20ready\r\n-\x20Missing\x20or\ SF:x20null\x20command\r\n")%r(GetRequest,54,"\+\x20POP2\x20heritage7\x20v2 SF:003\.66rh\x20server\x20ready\r\n-\x20Bogus\x20or\x20out\x20of\x20sequen SF:ce\x20command\x20-\x20GET\r\n")%r(HTTPOptions,58,"\+\x20POP2\x20heritag SF:e7\x20v2003\.66rh\x20server\x20ready\r\n-\x20Bogus\x20or\x20out\x20of\x SF:20sequence\x20command\x20-\x20OPTIONS\r\n")%r(RTSPRequest,58,"\+\x20POP SF:2\x20heritage7\x20v2003\.66rh\x20server\x20ready\r\n-\x20Bogus\x20or\x2 SF:0out\x20of\x20sequence\x20command\x20-\x20OPTIONS\r\n")%r(RPCCheck,2A," SF:\+\x20POP2\x20heritage7\x20v2003\.66rh\x20server\x20ready\r\n")%r(DNSVe SF:rsionBindReq,2A,"\+\x20POP2\x20heritage7\x20v2003\.66rh\x20server\x20re SF:ady\r\n")%r(DNSStatusRequest,2A,"\+\x20POP2\x20heritage7\x20v2003\.66rh SF:\x20server\x20ready\r\n")%r(Help,55,"\+\x20POP2\x20heritage7\x20v2003\. SF:66rh\x20server\x20ready\r\n-\x20Bogus\x20or\x20out\x20of\x20sequence\x2 SF:0command\x20-\x20HELP\r\n")%r(SSLSessionReq,43,"\+\x20POP2\x20heritage7 SF:\x20v2003\.66rh\x20server\x20ready\r\n-\x20Command\x20line\x20too\x20lo SF:ng\r\n")%r(SMBProgNeg,2A,"\+\x20POP2\x20heritage7\x20v2003\.66rh\x20ser SF:ver\x20ready\r\n")%r(X11Probe,2A,"\+\x20POP2\x20heritage7\x20v2003\.66r SF:h\x20server\x20ready\r\n")%r(LPDString,59,"\+\x20POP2\x20heritage7\x20v SF:2003\.66rh\x20server\x20ready\r\n-\x20Bogus\x20or\x20out\x20of\x20seque SF:nce\x20command\x20-\x20\x01DEFAULT\r\n"); Nmap run completed -- 1 IP address (1 host up) scanned in 175.241 seconds root at b-o-b:~# Robert (aka B_o_B) David Felix De Mars West Longitude 90' 15' 43" http://b-o-b.homelinux.com ********************************************************* Thursday, March 4, 2004, 9:06:35 AM, you wrote: JTH> SMB? Finger? A Windows box with the same users? Is this a mail server? JTH> Does your mail server support the VRFY method? This could have allowed JTH> random user enumeration. There are vulnerabilities in certain Apache JTH> configurations that allow for user enumeration as well; when you go to JTH> domain.com/~realuser you get a 'permission deined' message, and JTH> domain.com/~fakeuser you get 'directory not accessible' or something. JTH> What is the box used for? Have you ever run nmap on it from outside? >> -----Original Message----- >> From: tclug-list-bounces at mn-linux.org >> [mailto:tclug-list-bounces at mn-linux.org] On Behalf Of Pastor >> Doug Coats >> Sent: Thursday, March 04, 2004 8:55 AM >> To: TCLUG Mailing List >> Subject: [TCLUG] Attack >> >> >> I am running Fedora Core1 and had an interesting attack show >> up in my logs. >> >> Someone tried to ssh running through the entire list of users. >> >> My question is how did they get that list of valid users? >> There is no evidence of simply trying random users - they >> knew every user. >> >> Is there something in Linux that would return a request for >> every user name? >> >> Is there something I should have turned off so that cannot >> happen again? >> >> I blocked their IP address in IPTables but they can find a >> way around that. And I would like to block anyone from trying >> something similar. >> >> Any suggestions would be greatly appreciated. >> >> Thanks All, >> >> Doug >> >> >> _______________________________________________ >> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota JTH> http://www.mn-linux.org tclug-list at mn-linux.org JTH> https://mailman.real-time.com/mailman/listinfo/tclug-list JTH> _______________________________________________ JTH> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota JTH> http://www.mn-linux.org tclug-list at mn-linux.org JTH> https://mailman.real-time.com/mailman/listinfo/tclug-list _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list