>Aside from the spoofing, I'm wondering how narrow one can define and
>determine that their firewall in such an instance os the address they find
>in such scans. Meaning, if one scanns 3 class c's looking for port 80
>being open, how many false positives of other machines running a webserver
>are found, then how one determines that indeed this box is their's. I
>guess this person must be excluding all machines that have other ports
>open and looking only at servers running a webserver. Again though, I can
>imagine that one ends up with a list of boxen that might be theirs, and
>might not be.
>From my couple attempts at this:
4 class C's to scan, less 31 addresses per net which are used for
routers and the like, is 892 addresses.
Of these, perhaps a dozen were running anything on port 80. I didn't
check any other ports. I opened these addresses in a browser and
examined them.
Of the dozen, about half were unconfigured PC servers, mostly IIS.
Most of the remainder were obviously pages intended to be viewed by
the public.
What I was saying could be spoofed is the server. In theory, someone
could download the pages from my PC, publish them on their own server,
wait for me to come along, and trick me into revealing my password for
the pages that require them. I would know what happened pretty fast
when either my password didn't work, or the content behind it was
wrong, but it would be possible to grab my password for a short bit.
I'm not saying this a great idea, and I'm working on a better
solution. I was wondering how people perceived a port 80 net sweep
relative to other types of scans which were being discussed.
I'm sorry that I contributed to this thread getting out of control. If
you want to talk more about it, please email me privately.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
