John, For me it nmap gives the following [EMAIL PROTECTED]:/home/karthik # nmap -O -sS 210.66.231.1
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2005-03-10 22:24 CST Interesting ports on 210.66.231.1: (The 1645 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 25/tcp filtered smtp 80/tcp open http 111/tcp open rpcbind 135/tcp filtered msrpc 136/tcp filtered profile 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 443/tcp open https 445/tcp filtered microsoft-ds 3306/tcp open mysql 6000/tcp open X11 27374/tcp filtered subseven Device type: general purpose Running: Linux 2.4.X OS details: Linux 2.4.6 - 2.4.21 Uptime 111.809 days (since Fri Nov 19 02:59:13 2004) Nmap run completed -- 1 IP address (1 host up) scanned in 32.369 seconds Its probably listing what the the service the ports commonly use. The server is hosted by some ISP in taiwan. I don't know if the server is rooted or not but I think you are wasting your time contacting someone in Taiwan. Oh BTW i did a nmap on brlug.net and the result is [EMAIL PROTECTED]:/home/karthik # nmap -sS -O brlug.net Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2005-03-10 22:24 CST Interesting ports on 69.73.167.19: (The 1638 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 1/tcp open tcpmux 21/tcp open ftp 22/tcp open ssh 25/tcp filtered smtp 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 135/tcp filtered msrpc 136/tcp filtered profile 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 143/tcp open imap 199/tcp open smux 443/tcp open https 445/tcp filtered microsoft-ds 465/tcp open smtps 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql 27374/tcp filtered subseven Device type: firewall Running: Checkpoint Windows NT/2K/XP OS details: Checkpoint SecurePlatform NG FP3 Nmap run completed -- 1 IP address (1 host up) scanned in 17.990 seconds pretty interesting ah? -- karthik Poobalasubramanian [EMAIL PROTECTED] On Thu, 2005-03-10 at 20:12 -0800, John Hebert wrote: > Howdy, > > I got an email recently from some stoopid scammer who > was phishing for Ebay account info. The email could > easily fool a computer newbie, but the HREF for the > Ebay URL resolved to ebay.aw1-cgi-updates.com, so I > knew it was a scam. > > I forwarded the email to [EMAIL PROTECTED] because > phishers pizz me off, but I thought it would be > interesting to learn a little more about the scammers, > so I pulled out ole nmap: > > > [EMAIL PROTECTED] /cygdrive/c/tools/nmap-3.81 > $ ./nmap.exe ebay.aw1-cgi-updates.com > > Starting nmap 3.81 ( http://www.insecure.org/nmap ) at > 2005-03-10 21:47 Central > Standard Time > Interesting ports on 210.66.231.1: > (The 1655 ports scanned but not shown below are in > state: closed) > PORT STATE SERVICE > 21/tcp open ftp > 80/tcp open http > 111/tcp open rpcbind > 443/tcp open https > 445/tcp filtered microsoft-ds > 1720/tcp filtered H.323/Q.931 > 3306/tcp open mysql > 6000/tcp open X11 > > Hmmm! Looks like some bad guy hax0r has taken over > this box and is using it as a remotely controllable > phishing platform. And it is interesting that the > hax0r has opened all those ports and services; I guess > script kiddies need a GUI now to do their dirty deeds? > > At first, I assumed it was a Windows box running some > kinda hacked-up cygwin-X11 install, because we all > know how Microsoft redefined "openness". But, a quick > check at netcraft.com says that it is a Linux box > (http://uptime.netcraft.com/up/graph/?host=ebay.aw1-cgi-updates.com). > > Question: Is netcraft.com correct? > > I know a little of how their OS signature checking > works, but if it is true, then that means this Linux > box has been hacked. Which kinda surprises me, but I > guess I had to lose my innocence sooner or later. ;) > > Another question: How would I contact the owner of the > box to tell him the box is hacked? Contact the > netblock owner? Or should I just forget about all this > and go to bed? > > Thanks, > John > > > > __________________________________ > Do you Yahoo!? > Yahoo! Small Business - Try our new resources site! > http://smallbusiness.yahoo.com/resources/ > > _______________________________________________ > General mailing list > [email protected] > http://brlug.net/mailman/listinfo/general_brlug.net > >
