TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
This setup looks fishy to me. I think the user is running some "traps"
on commonly probed ports. Why? Because:
a) Netbus, to my knowledge, is a Windows based product. Windows
systems typically do not have sunrpc services installed on them,
nor would nmap predict that the system is FreeBSD.
b) The admin seems to be smart enough to be running ssh. Yet at the
same time, telnet is open. The admins may be leaving telnet for
your average user who doesn't care (or risk alot) if their
password is sniffed, while the admins only use ssh to make sure
their root password isn't compromised.
I would be very surprised if this box was truly compromised.
BTW, if I'm right, then they are probably PROACTIVE about monitoring
scans (since they have a trap on port 12345 at least). That means
they know you were scanning their system. Don't be surprised if
you get a nastygram...
Cheers, Thomas
Data_surge wrote:
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
> ----------------------------------------------------------------------------
>
> Hey there all,
> Lately i have been scanning a number of host for record purposes, and on a
> number of large isp and e-commerce sites i have found a port open for netbus the
> port is 12345 i did not beleive it at first and got my port listing docs out
> to verify that it was something elese and on both counts it came up unverified.
> I can say safley say that the largest isp in my country has been ifected with
> netbus. Here is one of the logs.
> Starting nmap V. 2.3BETA13 by [EMAIL PROTECTED] ( www.insecure.org/nmap/ )
> Interesting ports on the url ? (a ip:0)
> Port State Protocol Service
> 21 open tcp ftp
> 22 open tcp ssh
> 23 open tcp telnet
> 25 open tcp smtp
> 53 open tcp domain
> 80 open tcp http
> 110 open tcp pop-3
> 111 open tcp sunrpc
> 443 open tcp https
> 12345 open tcp NetBus
>
> TCP Sequence Prediction: Class=random positive increments
> Difficulty=34403 (Worthy challenge)
> Remote operating system guess: FreeBSD 2.2.1 - 3.2
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 65 seconds
--
------------------------------------------------------------
Thomas Reinke Tel: (905) 331-2260
Director of Technology Fax: (905) 331-2504
E-Soft Inc. http://www.e-softinc.com
