[Full-disclosure] New MSN Servers

---

• From: ZeuZ <zeuz.netraptor@xxxxxxxxx>
• Date: Fri, 3 Mar 2006 07:18:22 +0100

---

Hi everybody, yesterday I was about to update something in my MSN Space and
I found out something... Suddenly logginet.passport.com redirected me to
www.msn-int.com (65.54.202.62) and at first I thought it was some kinda
spyware, so I Switched to Linux and tryed again, and again the same... So I
decided to check out with NMAP and I found out this:
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-03-04 03:03 CET
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0,
SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan against 65.54.202.62 [1672 ports] at 03:03
Discovered open port 80/tcp on 65.54.202.62
SYN Stealth Scan Timing: About 26.67% done; ETC: 03:05 (0:01:22 remaining)
The SYN Stealth Scan took 102.54s to scan 1672 total ports.
Initiating service scan against 1 service on 65.54.202.62 at 03:05
The service scan took 7.10s to scan 1 service on 1 host.
Warning: OS detection will be MUCH less reliable because we did not find at
least 1 open and 1 closed TCP port
For OSScan assuming port 80 is open, 39518 is closed, and neither are
firewalled
For OSScan assuming port 80 is open, 38324 is closed, and neither are
firewalled
Insufficient responses for TCP sequencing (3), OS detection may be less
accurate
For OSScan assuming port 80 is open, 41733 is closed, and neither are
firewalled
Host 65.54.202.62 appears to be up ... good.
Interesting ports on 65.54.202.62:
(The 1671 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS webserver 6.0
Device type: firewall
Running (JUST GUESSING) : Netscreen ScreenOS (85%)
Aggressive OS guesses: Netscreen 5XP firewall+vpn (os 4.0.3r2.0) (85%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SInfo(V=4.01%P=i686-pc-linux-gnu%D=3/4%Tm=4408F60C%O=80%C=-1)
TSeq(Class=C%Val=1E240%IPID=Z%TS=U)
T1(Resp=N)
TSeq(Class=C%Val=1E240%IPID=Z%TS=U)
T1(Resp=Y%DF=Y%W=7D77%ACK=S++%Flags=AS%Ops=)
T2(Resp=N)
T1(Resp=Y%DF=Y%W=7D77%ACK=S++%Flags=AS%Ops=)
T2(Resp=N)
T3(Resp=N)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=7D76%ACK=O%Flags=AS%Ops=)
T4(Resp=N)
T3(Resp=Y%DF=Y%W=7D76%ACK=O%Flags=AS%Ops=)
T4(Resp=N)
T5(Resp=N)
T4(Resp=N)
T5(Resp=N)
T6(Resp=N)
T5(Resp=N)
T6(Resp=N)
T7(Resp=Y%DF=Y%W=7D78%ACK=S++%Flags=A%Ops=)
T6(Resp=N)
T7(Resp=Y%DF=Y%W=7D78%ACK=S++%Flags=A%Ops=)
PU(Resp=N)
T7(Resp=Y%DF=Y%W=7D78%ACK=S++%Flags=A%Ops=)
PU(Resp=N)
PU(Resp=N)

TCP Sequence Prediction: Class=constant sequence number (!)
Difficulty=0 (Trivial joke)
IPID Sequence Generation: All zeros
Service Info: OS: Windows

Nmap finished: 1 IP address (1 host up) scanned in 140.366 seconds
Raw packets sent: 3421 (153KB) | Rcvd: 2069 (98.1KB)


So, literally MSN Network is derivating space's user's data trhough some
firewall to another host, perhaps just to increase something in user's
accounts...
I also cheked out with a traceroute of the hops it was making... Until hop
21 here there where no coincidence, diferent rotuers and diferent gateways
in the process... but then they started to center in SAAVIS (both MSN.ESand
MSN-INT.COM)
Now, should this be considered as a mere Microsoft new idea or is just a
problem that I'm having?
Maybe it's just me, but I want to be sure, seems like if Microsoft was about
to change it's system network once again....
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

---

• Follow-Ups:
  • Re: [Full-disclosure] New MSN Servers
    • From: Nico Golde
  • Re: [Full-disclosure] New MSN Servers
    • From: Alexander Hristov
  • Re: [Full-disclosure] New MSN Servers
    • From: nocfed

• Prev by Date: [Full-disclosure] iDefense Security Advisory 03.02.06: EMC Dantz Retrospect 7 Backup client DoS Vulnerability
• Next by Date: [Full-disclosure] CFP hack.lu 2006
• Previous by thread: [Full-disclosure] iDefense Security Advisory 03.02.06: EMC Dantz Retrospect 7 Backup client DoS Vulnerability
• Next by thread: Re: [Full-disclosure] New MSN Servers
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: Strange replies on closed port ... port should be a RST - not dropping the packet. ... receiving an UDP datagram to a non 'listening' port. ... that message isn't generated by the end host, ... Connecting to a closed Port w/o Firewall: ... (Pen-Test) Re: [Full-disclosure] New MSN Servers ... Discovered open port 80/tcp on 65.54.202.62 ... The service scan took 7.10s to scan 1 service on 1 host. ... Insufficient responses for TCP sequencing, ... firewall to another host, perhaps just to increase something in user's ... (Full-Disclosure) Re: [Full-disclosure] New MSN Servers ... Discovered open port 80/tcp on 65.54.202.62 ... The service scan took 7.10s to scan 1 service on 1 host. ... Insufficient responses for TCP sequencing, ... firewall to another host, perhaps just to increase something in user's ... (Full-Disclosure) Re: External drives not installing or working properly on USB ... with the USB system before but these disappearred when I disabled the ... Only one of the five host controllers is connected to the 6 ... work on any port on the PC? ... operating system to recognise the four additional 'drives'. ... (microsoft.public.windowsxp.general) Re: DLINK DI 707P firewall-question ... > I am not quite sure if I am using firewall or filter settings, ... you set up a firewall rule. ... If two computers "talking" to each other they connect from one port ... of host A to another port of host B. ... (comp.security.firewalls)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Full-Disclosure  > 2006-03