On 3/3/06, ZeuZ <[EMAIL PROTECTED]> wrote: > Hi everybody, yesterday I was about to update something in my MSN Space and > I found out something... Suddenly logginet.passport.com redirected me to > www.msn-int.com (65.54.202.62) and at first I thought it was some kinda > spyware, so I Switched to Linux and tryed again, and again the same... So I > decided to check out with NMAP and I found out this: > Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-03-04 03:03 > CET > DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, > SF: 0, TR: 1, CN: 0] > Initiating SYN Stealth Scan against 65.54.202.62 [1672 ports] at 03:03 > Discovered open port 80/tcp on 65.54.202.62 > SYN Stealth Scan Timing: About 26.67% done; ETC: 03:05 (0:01:22 remaining) > The SYN Stealth Scan took 102.54s to scan 1672 total ports. > Initiating service scan against 1 service on 65.54.202.62 at 03:05 > The service scan took 7.10s to scan 1 service on 1 host. > Warning: OS detection will be MUCH less reliable because we did not find > at least 1 open and 1 closed TCP port > For OSScan assuming port 80 is open, 39518 is closed, and neither are > firewalled > For OSScan assuming port 80 is open, 38324 is closed, and neither are > firewalled > Insufficient responses for TCP sequencing (3), OS detection may be less > accurate > For OSScan assuming port 80 is open, 41733 is closed, and neither are > firewalled > Host 65.54.202.62 appears to be up ... good. > Interesting ports on 65.54.202.62: > (The 1671 ports scanned but not shown below are in state: filtered) > PORT STATE SERVICE VERSION > 80/tcp open http Microsoft IIS webserver 6.0 > Device type: firewall > Running (JUST GUESSING) : Netscreen ScreenOS (85%) > Aggressive OS guesses: Netscreen 5XP firewall+vpn (os 4.0.3r2.0) (85%) > No exact OS matches for host (test conditions non-ideal). > TCP/IP fingerprint: > SInfo(V=4.01%P=i686-pc-linux-gnu%D=3/4%Tm=4408F60C%O=80%C=-1) > TSeq(Class=C%Val=1E240%IPID=Z%TS=U) > T1(Resp=N) > TSeq(Class=C%Val=1E240%IPID=Z%TS=U) > T1(Resp=Y%DF=Y%W=7D77%ACK=S++%Flags=AS%Ops=) > T2(Resp=N) > T1(Resp=Y%DF=Y%W=7D77%ACK=S++%Flags=AS%Ops=) > T2(Resp=N) > T3(Resp=N) > T2(Resp=N) > T3(Resp=Y%DF=Y%W=7D76%ACK=O%Flags=AS%Ops=) > T4(Resp=N) > T3(Resp=Y%DF=Y%W=7D76%ACK=O%Flags=AS%Ops=) > T4(Resp=N) > T5(Resp=N) > T4(Resp=N) > T5(Resp=N) > T6(Resp=N) > T5(Resp=N) > T6(Resp=N) > T7(Resp=Y%DF=Y%W=7D78%ACK=S++%Flags=A%Ops=) > T6(Resp=N) > T7(Resp=Y%DF=Y%W=7D78%ACK=S++%Flags=A%Ops=) > PU(Resp=N) > T7(Resp=Y%DF=Y%W=7D78%ACK=S++%Flags=A%Ops=) > PU(Resp=N) > PU(Resp=N) > > TCP Sequence Prediction: Class=constant sequence number (!) > Difficulty=0 (Trivial joke) > IPID Sequence Generation: All zeros > Service Info: OS: Windows > > Nmap finished: 1 IP address (1 host up) scanned in 140.366 seconds > Raw packets sent: 3421 (153KB) | Rcvd: 2069 (98.1KB) > > > So, literally MSN Network is derivating space's user's data trhough some > firewall to another host, perhaps just to increase something in user's > accounts... > I also cheked out with a traceroute of the hops it was making... Until hop > 21 here there where no coincidence, diferent rotuers and diferent gateways > in the process... but then they started to center in SAAVIS (both MSN.ES > and MSN-INT.COM) > Now, should this be considered as a mere Microsoft new idea or is just a > problem that I'm having? > Maybe it's just me, but I want to be sure, seems like if Microsoft was > about to change it's system network once again.... > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > >
Do you expect them to only have one peer? Do you expect them to not use load balancing but only 1 server? I fail to see a point here. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
