Weird DNS scans

From: Seth Milder (mrsethat_private)
Date: Thu Oct 04 2001 - 23:59:26 PDT

Next message: Harley David: "RE: virus/worm threats"

Previous message: cambriaat_private: "Re: Code Red gone to sleep?"
Next in thread: Ryan Russell: "Re: Weird DNS scans"
Reply: Ryan Russell: "Re: Weird DNS scans"
Reply: Richard Smith: "Re: Weird DNS scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I am getting a ton of DNS scans from what seem to be all BSDI machines 
and all from China (so far). They are also *all* running

  SSH-1.99-2.0.12 F-SECURE SSH

and all have at least irc and https open as well. Anyone else seeing 
this? Here are a few of my nmap results.


Starting nmap V. 2.30BETA20 by fyodorat_private ( 
www.insecure.org/nmap/ )
Host  (202.96.96.3) appears to be up ... good.
Initiating SYN half-open stealth scan against  (202.96.96.3)
Adding TCP port 22 (state open).
Adding TCP port 443 (state open).
The SYN scan took 416 seconds to scan 1518 ports.
For OSScan assuming that port 22 is open and port 1 is closed and 
neither are firewalled
Interesting ports on  (202.96.96.3):
(The 1512 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
182/tcp    filtered    audit
443/tcp    open        https
1387/tcp   filtered    cadsi-lm
2500/tcp   filtered    rtsserv
6667/tcp   filtered    irc

TCP Sequence Prediction: Class=random positive increments
                          Difficulty=155830 (Good luck!)

Sequence numbers: ACF89303 ACFAE081 ACF89303 ACFAE081 AD0343B4 AD064C1B
Remote operating system guess: F5labs Big/IP HA TCP/IP Load Balancer 
(BSDI kernel/x86)
OS Fingerprint:
TSeq(Class=RI%gcd=1%SI=260B6)
T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=402E%ACK=O%Flags=A%Ops=NNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=N)


Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
Host  (61.138.141.3) appears to be up ... good.
Initiating SYN Stealth Scan against  (61.138.141.3)
Adding TCP port 22 (state open).
Adding TCP port 443 (state open).
The SYN Stealth Scan took 480 seconds to scan 1534 ports.
For OSScan assuming that port 22 is open and port 1 is closed and 
neither are firewalled
Insufficient responses for TCP sequencing (3), OS detection may be less 
accurate
Interesting ports on  (61.138.141.3):
(The 1531 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
443/tcp    open        https
6667/tcp   filtered    irc

Remote operating system guess: F5labs Big/IP HA TCP/IP Load Balancer 
(BSDI kernel/x86)
OS Fingerprint:
T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=402E%ACK=O%Flags=A%Ops=NNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=N)


Starting nmap V. 2.30BETA20 by fyodorat_private ( 
www.insecure.org/nmap/ )
Host  (61.139.76.157) appears to be up ... good.
Initiating SYN half-open stealth scan against  (61.139.76.157)
Adding TCP port 21 (state open).
Adding TCP port 22 (state open).
Adding TCP port 443 (state open).
The SYN scan took 457 seconds to scan 1518 ports.
For OSScan assuming that port 21 is open and port 1 is closed and 
neither are firewalled
Interesting ports on  (61.139.76.157):
(The 1514 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
22/tcp     open        ssh
443/tcp    open        https
6667/tcp   filtered    irc

TCP Sequence Prediction: Class=random positive increments
                          Difficulty=80721 (Worthy challenge)

Sequence numbers: 4E09FF48 4E0F551E 4E09FF48 4E13BF92 4E0F551E 4E1994C8
Remote operating system guess: F5labs Big/IP HA TCP/IP Load Balancer 
(BSDI kernel/x86)
OS Fingerprint:
TSeq(Class=RI%gcd=2%SI=13B51)
T1(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=402E%ACK=O%Flags=A%Ops=NNT)
T4(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=N)



--
Seth Milder
Deptartment of Physics and Astronomy
MS 3f3
George Mason University
Fairfax, VA
--
Say no, then negotiate. -- Helga


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Harley David: "RE: virus/worm threats"
Previous message: cambriaat_private: "Re: Code Red gone to sleep?"
Next in thread: Ryan Russell: "Re: Weird DNS scans"
Reply: Ryan Russell: "Re: Weird DNS scans"
Reply: Richard Smith: "Re: Weird DNS scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 05 2001 - 08:20:21 PDT