Debian PPC Who's Who In System Scanning

Return To Debian Install Guide

Who's scanning who? My MacOS-based router picks up a moderate number of systems attempting connections with ports other than 80, and shows them the door. Many of these could just be just normal (and unneccessary) service requests issued in conjunction with hits on my website. One of my simple joys in life is to get a snapshot of who they are. Nothing sexy, just 'dig', 'lynx -head', and 'nmap -sS -O'. If they don't like it, screw 'em. Below is a sample from 2003. The attempts at ports 1080 and 1433 got boring enough that they won't get as much attention in the future.

One of the things puzzling me is why imagefarm12-vip.ptn.aol.com (64.12.39.89) keeps banging on my door. According to my router, it's working hard to connect with my wife's laptop on our private network. There's a slew of blocked attempts at ports 1071 thru 1096.

Reverse DNS Lookup
Lynx Web Browser (see Users Guide)
Nmap Port Scanner

8/30/03 10:17:56  Trigger IP Addr: 205.156.51.228 TCP Port: 2049  Svc: nfs 7200 secs
8/30/03 10:18:00  Probable Port Scan from IP Addr: 205.156.51.228 TCP Port: 2050
Name: prh.noaa.gov
Notes: Probably a service negotiation while I looked up hurricane data.

8/31/03 6:20:21  Trigger IP Addr: 61.0.95.130 TCP Port: 111  Svc: sunrpc 7200 secs

8/31/03 17:48:04  Trigger IP Addr: 66.9.102.103 TCP Port: 1433  Svc: ms-sql-s 7200 secs
135/tcp    open        loc-srv
139/tcp    open        netbios-ssn
1025/tcp   open        NFS-or-IIS
1433/tcp   open        ms-sql-s
3389/tcp   open        ms-term-serv
Remote operating system guess: Windows Millennium Edition (Me), Win 2000, or WinXP

8/31/03 19:31:12  Trigger IP Addr: 64.12.50.217 TCP Port: 1080  Svc: socks 7200 secs
8/31/03 19:31:12  Probable Port Scan from IP Addr: 64.12.50.217 TCP Port: 1077
Name: imagefarm10-vip.ptn.aol.com
HTTP/1.0 404 Not Found on Accelerator
Via: HTTP/1.1 cdn-ml13 (Traffic-Server/5.2.1-49362 [c s f ])
80/tcp     open        http                    
Notes: AOL system running licensed Inktomi Traffic Server network cache.

9/1/03 1:32:18  Trigger IP Addr: 66.212.80.187 TCP Port: 1433  Svc: ms-sql-s 7200 secs
33/tcp     open        dsp
70/tcp     open        gopher
139/tcp    open        netbios-ssn
445/tcp    open        microsoft-ds
1025/tcp   open        NFS-or-IIS
1720/tcp   open        H.323/Q.931
3372/tcp   open        msdtc
3389/tcp   open        ms-term-serv
7273/tcp   open        openmanage
Remote operating system guess: Windows Millennium Edition (Me), Win 2000, or WinXP

9/1/03 2:46:29  Trigger IP Addr: 200.210.211.20 TCP Port: 1433  Svc: ms-sql-s 7200 secs
Server: Microsoft-IIS/5.0
Set-Cookie: ASPSESSIONIDQCDBRRBD=OIGPGNJAJMBJBLJDPGOGDLKP; path=/
7/tcp      open        echo
9/tcp      open        discard
13/tcp     open        daytime
17/tcp     open        qotd
19/tcp     open        chargen
21/tcp     open        ftp
25/tcp     open        smtp
53/tcp     open        domain
80/tcp     open        http
88/tcp     open        kerberos-sec
119/tcp    open        nntp
389/tcp    open        ldap
443/tcp    open        https
464/tcp    open        kpasswd5
515/tcp    open        printer
563/tcp    open        snews
593/tcp    open        http-rpc-epmap
636/tcp    open        ldapssl
1755/tcp   open        wms
3268/tcp   open        globalcatLDAP
3269/tcp   open        globalcatLDAPssl
3306/tcp   open        mysql
3389/tcp   open        ms-term-serv
6666/tcp   open        irc-serv
7007/tcp   open        afs3-bos
Remote OS guesses: Windows NT 3.51 SP5, NT4 or 95/98/98SE, Windows Millennium Edition (Me), Win 2000, or WinXP
Notes: Nmap wasn't getting enough data for a good OS guess, and I couldn't resolve the IP. The web page came up default in Portugese.

9/1/03 3:58:14  Trigger IP Addr: 80.65.116.213 TCP Port: 1433  Svc: ms-sql-s 7200 secs
Name: dsl116-213.introweb.nl
25/tcp     open        smtp
97/tcp     open        swift-rvf
110/tcp    open        pop-3
135/tcp    open        loc-srv
139/tcp    open        netbios-ssn
143/tcp    open        imap2
443/tcp    open        https
593/tcp    open        http-rpc-epmap
691/tcp    open        resvc
993/tcp    open        imaps
1720/tcp   open        H.323/Q.931
3389/tcp   open        ms-term-serv
Remote OS guesses: Windows NT 5 Beta2 or Beta3, Windows Millennium Edition (Me), Win 2000, or WinXP, MS Windows2000 Professional RC1/W2K Advance Server Beta3
Notes: a DSL customer from the Netherlands.

9/1/03 15:27:40  Trigger IP Addr: 80.142.235.128 TCP Port: 1433  Svc: ms-sql-s 7200 secs
Name: p508EEB80.dip.t-dialin.net
23/tcp     filtered    telnet
80/tcp     filtered    http
1990/tcp   filtered    stun-p1
1992/tcp   filtered    stun-p3
2013/tcp   filtered    raid-am
2017/tcp   filtered    cypress-stat
2024/tcp   filtered    xinuexpansion4
2025/tcp   filtered    ellpack
2431/tcp   filtered    venus-se
3462/tcp   filtered    track
3986/tcp   filtered    mapper-ws_ethd
3999/tcp   filtered    remoteanything
Notes: a dialup from Germany?

9/1/03 19:39:58  Trigger IP Addr: 206.112.112.61 TCP Port: 1433  Svc: ms-sql-s 7200 secs
Server: AkamaiGHost
22/tcp     open        ssh
80/tcp     open        http
443/tcp    open        https
Remote OS guesses: Linux 2.1.19 - 2.2.20, Linux kernel 2.2.13, Linux 2.2.14
Uptime 19.013 days (since Thu Aug 14 23:18:22 2003)
Notes: All of the usual default index pages come up 404.

9/1/03 20:51:17  Trigger IP Addr: 66.227.104.160 TCP Port: 2049  Svc: nfs 7200 secs
9/1/03 20:51:17  Probable Port Scan from IP Addr: 66.227.104.160 TCP Port: 2034
22/tcp     open        ssh
53/tcp     open        domain
Remote OS guesses: OpenBSD 2.9-beta through release (X86), OpenBSD 3.0 (x86 or SPARC)
Notes: Any guesses what they expected to find on port 2034? A Novell control console?

9/1/03 22:59:56  Trigger IP Addr: 216.12.215.213 TCP Port: 23  Svc: telnet 7200 secs
Server: Apache/1.3.19 (Unix) mod_perl/1.24_01 mod_throttle/2.11 PHP/4.0.6 Front
Page/4.0.4.3 mod_ssl/2.8.3 OpenSSL/0.9.6b
21/tcp     open        ftp
22/tcp     open        ssh
25/tcp     open        smtp
53/tcp     open        domain
80/tcp     open        http
110/tcp    open        pop-3
135/tcp    filtered    loc-srv
139/tcp    filtered    netbios-ssn
143/tcp    open        imap2
443/tcp    filtered    https
445/tcp    filtered    microsoft-ds
993/tcp    open        imaps
995/tcp    open        pop3s
3306/tcp   open        mysql
8443/tcp   open        https-alt
Remote OS guesses: Linux Kernel 2.4.0 - 2.5.20, Linux 2.4.19 w/grsecurity patch
Uptime 12.564 days (since Thu Aug 21 09:45:06 2003)
Notes: Trying my telnet port? Do people still do that? Home page is "the Plesk Server Administrator default page."

9/2/03 5:47:44  Trigger IP Addr: 61.156.7.182 TCP Port: 1433  Svc: ms-sql-s 7200 secs
135/tcp    filtered    loc-srv
136/tcp    filtered    profile
137/tcp    filtered    netbios-ns
138/tcp    filtered    netbios-dgm
139/tcp    filtered    netbios-ssn
445/tcp    filtered    microsoft-ds
1025/tcp   open        NFS-or-IIS
1433/tcp   open        ms-sql-s
1999/tcp   open        tcp-id-port
3372/tcp   open        msdtc
3389/tcp   open        ms-term-serv
4444/tcp   filtered    krb524
4899/tcp   open        radmin
5631/tcp   open        pcanywheredata
Remote OS guesses: Windows Millennium Edition (Me), Win 2000, or WinXP, MS Windows2000 Professional RC1/W2K Advance Server Beta3

9/2/03 9:02:21  Trigger IP Addr: 61.99.56.21 TCP Port: 1433  Svc: ms-sql-s 7200 secs
Notes: Unable to scan or access this system.

9/2/03 9:12:28  Trigger IP Addr: 62.26.209.198 TCP Port: 111  Svc: sunrpc 7200 secs
Server: Apache/1.3.26 (Unix) PHP/4.3.2 FrontPage/4.0.4.3 mod_ssl/2.8.10 OpenSSL
/0.9.6d
X-Powered-By: PHP/4.3.2
Location: ./user/index.php
21/tcp     open        ftp
22/tcp     open        ssh
25/tcp     open        smtp
53/tcp     open        domain
80/tcp     open        http
110/tcp    open        pop-3
443/tcp    open        https
587/tcp    open        submission
1021/tcp   open        unknown
10000/tcp  open        snet-sensor-mgmt
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Uptime 37.997 days (since Sat Jul 26 23:04:01 2003)
Notes: The website's php script asks for a login, while the https page is still default apache.

9/2/03 9:37:51  Trigger IP Addr: 195.101.18.201 TCP Port: 22  Svc: ssh 7200 secs
Server: Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.1.2
mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.25
Name: cobalt.culture-aquitaine.org (among others)
21/tcp     open        ftp
22/tcp     open        ssh
25/tcp     open        smtp
53/tcp     open        domain
80/tcp     open        http
81/tcp     open        hosts2-ns
110/tcp    open        pop-3
143/tcp    open        imap2
443/tcp    open        https
444/tcp    open        snpp
3306/tcp   open        mysql
Remote OS guesses: GNU Hurd 0.2 (GNUmach-1.2/Hurd-0.2) X86, Linux 2.1.19 - 2.2.2Uptime 8.973 days (since Sun Aug 24 23:26:59 2003)
Notes: This Cobalt box hosts six or seven sites. The root web page is the Cobalt server default, while some of the virtual domains serve audio-visual web art.