Re: [Full-Disclosure] New Security News Website

From: Paul Schmehl (pauls_at_utdallas.edu)
Date: 02/17/04

  • Next message: somenym81_at_nym.alias.net: "[Full-Disclosure] Re: W2K source "leaked"?" 
    To: full-disclosure@lists.netsys.com
Date: Mon, 16 Feb 2004 17:28:15 -0600

    --On Monday, February 16, 2004 1:49 PM -0800 "Gregory A. Gilliss"
    <ggilliss@netpublishing.com> wrote:

    > You're kidding, right? Me thinks you *need* some hacker intel!

    So you think a simple nmap scan is sufficient to determine if a host is
    insecure? Interesting.

    If you scanned my Windows XP boxes, you'd find a bunch of juicy ports open.
    What you wouldn't find is a hackable daemon. All the open ports feed a
    program that captures the packets for analysis later. The boxes are
    running no Internet-addressable services. Yet, from an nmap scan you might
    (wrongly) assume that those boxes were grossly insecure.

    This is the Internet. Things are not always what they seem. And open
    ports don't always mean negligence.

    For example:

    bash-2.05b# telnet www.hackerintel.com 113
    Trying 216.92.170.7...
    Connected to hackerintel.com.
    Escape character is '^]'.
    Connection closed by foreign host.
    bash-2.05b# telnet www.hackerintel.com 543
    Trying 216.92.170.7...
    Connected to hackerintel.com.
    Escape character is '^]'.
    Connection closed by foreign host.
    bash-2.05b# telnet www.hackerintel.com 544
    Trying 216.92.170.7...
    Connected to hackerintel.com.
    Escape character is '^]'.
    Connection closed by foreign host.

    Looks suspiciously like tcpwrappers to me.

    And just because you *can* get a login prompt or banner on a particular
    port, *even if* it appears to be a "normal" service for that port, does
    not necessarily mean you are addressing that actual service. (The program
    I refer to would make you *think* you were talking to a compromised machine
    running NetBus, for example - as well as MyDoom, Slammer and a few other
    nasties, if all you did was telnet to that port.)

    Paul Schmehl (pauls@utdallas.edu)
    Adjunct Information Security Officer
    The University of Texas at Dallas
    AVIEN Founding Member
    http://www.utdallas.edu

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: somenym81_at_nym.alias.net: "[Full-Disclosure] Re: W2K source "leaked"?"

    Relevant Pages

    • Re: connect two linux boxes by a crossover cable - nmap
      ... As suggested by one friend, I tried to use 'nmap', it seems telnet ... server is running on one host, however, it is still unable to ... Interesting ports on xia.yusun.net: ... [root@yu0 root]# telnet xia.yusun.net ...
      (RedHat)
    • Telnet: route to host
      ... nicely to the linux box two feet away on some ports. ... telnet, for some reason I'm puzzling over. ... telnet: Unable to connect to remote host: No route to host ...
      (comp.unix.sco.misc)
    • Re: need a linux script
      ... > daemon inetd/xinetd. ... > run inetd/xinetd just stops the processes and closes the ports. ... This week I had two times problems connecting remote to my host with Telnet. ...
      (alt.os.linux.suse)
    • Re: External drives not installing or working properly on USB
      ... Tne one thing you could try doing is a repair install of XP ... Only one of the five host controllers is connected to the 6 ... As you have 5 host ports, ... operating system to recognise the four additional 'drives'. ...
      (microsoft.public.windowsxp.general)
    • Re: [Full-disclosure] Nmap
      ... Nmap has an option to change how it determines if a host is up by ... Using a couple of standard ports are the best, such as 80, 21, etc. ... Information Assurance Certification Review Board ...
      (Full-Disclosure)