Weird DNS scans

From: Seth Milder (mrsethat_private)
Date: Thu Oct 04 2001 - 23:59:26 PDT

  • Next message: Harley David: "RE: virus/worm threats"

    I am getting a ton of DNS scans from what seem to be all BSDI machines 
    and all from China (so far). They are also *all* running
    
      SSH-1.99-2.0.12 F-SECURE SSH
    
    and all have at least irc and https open as well. Anyone else seeing 
    this? Here are a few of my nmap results.
    
    
    Starting nmap V. 2.30BETA20 by fyodorat_private ( 
    www.insecure.org/nmap/ )
    Host  (202.96.96.3) appears to be up ... good.
    Initiating SYN half-open stealth scan against  (202.96.96.3)
    Adding TCP port 22 (state open).
    Adding TCP port 443 (state open).
    The SYN scan took 416 seconds to scan 1518 ports.
    For OSScan assuming that port 22 is open and port 1 is closed and 
    neither are firewalled
    Interesting ports on  (202.96.96.3):
    (The 1512 ports scanned but not shown below are in state: closed)
    Port       State       Service
    22/tcp     open        ssh
    182/tcp    filtered    audit
    443/tcp    open        https
    1387/tcp   filtered    cadsi-lm
    2500/tcp   filtered    rtsserv
    6667/tcp   filtered    irc
    
    TCP Sequence Prediction: Class=random positive increments
                              Difficulty=155830 (Good luck!)
    
    Sequence numbers: ACF89303 ACFAE081 ACF89303 ACFAE081 AD0343B4 AD064C1B
    Remote operating system guess: F5labs Big/IP HA TCP/IP Load Balancer 
    (BSDI kernel/x86)
    OS Fingerprint:
    TSeq(Class=RI%gcd=1%SI=260B6)
    T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
    T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
    T3(Resp=Y%DF=Y%W=402E%ACK=O%Flags=A%Ops=NNT)
    T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
    T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
    T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
    T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
    PU(Resp=N)
    
    
    Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
    Host  (61.138.141.3) appears to be up ... good.
    Initiating SYN Stealth Scan against  (61.138.141.3)
    Adding TCP port 22 (state open).
    Adding TCP port 443 (state open).
    The SYN Stealth Scan took 480 seconds to scan 1534 ports.
    For OSScan assuming that port 22 is open and port 1 is closed and 
    neither are firewalled
    Insufficient responses for TCP sequencing (3), OS detection may be less 
    accurate
    Interesting ports on  (61.138.141.3):
    (The 1531 ports scanned but not shown below are in state: closed)
    Port       State       Service
    22/tcp     open        ssh
    443/tcp    open        https
    6667/tcp   filtered    irc
    
    Remote operating system guess: F5labs Big/IP HA TCP/IP Load Balancer 
    (BSDI kernel/x86)
    OS Fingerprint:
    T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
    T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
    T3(Resp=Y%DF=Y%W=402E%ACK=O%Flags=A%Ops=NNT)
    T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
    T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
    T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
    T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
    PU(Resp=N)
    
    
    Starting nmap V. 2.30BETA20 by fyodorat_private ( 
    www.insecure.org/nmap/ )
    Host  (61.139.76.157) appears to be up ... good.
    Initiating SYN half-open stealth scan against  (61.139.76.157)
    Adding TCP port 21 (state open).
    Adding TCP port 22 (state open).
    Adding TCP port 443 (state open).
    The SYN scan took 457 seconds to scan 1518 ports.
    For OSScan assuming that port 21 is open and port 1 is closed and 
    neither are firewalled
    Interesting ports on  (61.139.76.157):
    (The 1514 ports scanned but not shown below are in state: closed)
    Port       State       Service
    21/tcp     open        ftp
    22/tcp     open        ssh
    443/tcp    open        https
    6667/tcp   filtered    irc
    
    TCP Sequence Prediction: Class=random positive increments
                              Difficulty=80721 (Worthy challenge)
    
    Sequence numbers: 4E09FF48 4E0F551E 4E09FF48 4E13BF92 4E0F551E 4E1994C8
    Remote operating system guess: F5labs Big/IP HA TCP/IP Load Balancer 
    (BSDI kernel/x86)
    OS Fingerprint:
    TSeq(Class=RI%gcd=2%SI=13B51)
    T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
    T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
    T3(Resp=Y%DF=Y%W=402E%ACK=O%Flags=A%Ops=NNT)
    T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
    T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
    T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
    T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
    PU(Resp=N)
    
    
    
    --
    Seth Milder
    Deptartment of Physics and Astronomy
    MS 3f3
    George Mason University
    Fairfax, VA
    --
    Say no, then negotiate. -- Helga
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Oct 05 2001 - 08:20:21 PDT