“Captain! We're being scanned!”

So I'm running monnet, a network monitor I wrote when I caught a portscan of my network, using SUNRPC. Curious, I run nmap on the offending machine and get the following:

Interesting ports on XXXXXXXX.XXXXXXXX.XXXXXXXX (XXX.XXX.XXX.XXX):
Port    State       Protocol  Service
21      open        tcp        ftp             
23      open        tcp        telnet          
25      open        tcp        smtp            
53      open        tcp        domain          
79      open        tcp        finger          
80      open        tcp        http            
98      open        tcp        linuxconf       
111     open        tcp        sunrpc          
113     open        tcp        auth            
119     open        tcp        nntp            
137     filtered    tcp        netbios-ns      
138     filtered    tcp        netbios-dgm     
139     filtered    tcp        netbios-ssn     
513     open        tcp        login           
514     open        tcp        shell           
515     open        tcp        printer         
520     filtered    tcp        efs             
655     open        tcp        unknown         
676     open        tcp        unknown         
681     open        tcp        unknown         
686     open        tcp        unknown         
1024    open        tcp        unknown         

TCP Sequence Prediction: Class=random positive increments
			Difficulty=2284334 (Good luck!)

Sequence numbers: C3909E99 C3E1B596 C3907551 C34F8007 C3F3F4E4 C3924E90
Remote operating system guess: Linux 2.1.122 - 2.1.130

Amazing. Simply amazing. I don't know what's worse—RedHat [1] making their default installation so open (and it was RedHat, I checked the web server running on the box and it said as much) or that this person didn't realize what he (I checked finger and it reported back a masculine name as being logged in) got himself into when putting a RedHat box and the end of a cable modem.

So I wrote the person the following:

[spc]linus:/home/spc>telnet XXX.XXX.XXX.XXX smtp
Trying XXX.XXX.XXX.XXX...
Connected to XXXXXXXX.XXXXXXXX.XXXXXXXX
Escape character is '^]'.
220  XXXXXXXX.XXXXXXXX.XXXXXXXXESMTP Sendmail 8.9.3/8.9.3; Sun, 4 Jun 2000 01:29:33 -0700
helo linus.slab.conman.org
250 XXXXXXXX.XXXXXXXX.XXXXXXXX Hello IDENT:XXXXXXXXXXXXXXXXXXXXXXXXX [XXX.XXX.XXX.XXX], pleased to meet you
mail from:<sean@conman.org>
250 <sean@conman.org>... Sender ok
rcpt to:<XXXXXXXX>
250 <XXXXXXXX>... Recipient ok
data
354 Enter mail, end with "." on a line by itself
From: sean@conman.org
To: XXXXXXXX@XXXXXXXX.XXXXXXXX.XXXXXXXX
Subject: Thanks for portscanning my network ...

  I'd like to thank you for port scanning my home network, especially from
a system with FTP, TELNET, SMTP, DNS, FINGER, HTTP, LINUXCONF and a slew of
other services open and running on your freshly installed RedHat
installation
of Linux.

  If you have no idea what I'm talking about, then let me inform you that
your system may have been compromised by someone.
 Just letting you know.

  -spc

.     
250 BAA21935 Message accepted for delivery
quit
221 XXXXXXXX.XXXXXXXX.XXXXXXXX closing connection
Connection closed by foreign host.
[spc]linus:/home/spc>

I'm wondering how he'll respond.

[1] http://www.redhat.com/

Gemini Mention this post

Contact the author