[47937] in North American Network Operators' Group
Re[2]: "portscans" (was Re: Arbor Networks DoS defense product)
daemon@ATHENA.MIT.EDU (Allan Liska)
Sat May 18 21:51:07 2002
Date: Sat, 18 May 2002 21:50:34 -0400
From: Allan Liska <allan@allan.org>
Reply-To: Allan Liska <allan@allan.org>
Message-ID: <14539710077.20020518215034@allan.org>
To: "nanog@merit.edu" <nanog@merit.edu>
In-Reply-To: <Pine.LNX.4.21.0205181913520.13686-100000@cpu1693.adsl.bellglobal.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Hello,
Saturday, May 18, 2002, 7:17:43 PM, you wrote:
RD> On Sat, 18 May 2002, Scott Francis wrote:
>> And why, pray tell, would some unknown and unaffiliated person be scanning my
>> network to gather information or run recon if they were not planning on
>> attacking? I'm not saying that you're not right, I'm just saying that so far
>> I have heard no valid non-attack reasons for portscans (other than those run
>> by network admins against their own networks).
RD> I often like to know if a particular web server is running Unix or
RD> Winblows. A port scanner is a useful tool in making that determination.
[allan@ns1 phpdig]$ telnet www.istop.com 80
Trying 216.187.106.194...
Connected to dci.doncaster.on.ca (216.187.106.194).
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Sun, 19 May 2002 01:47:57 GMT
Server: Apache/1.3.22 (Unix) FrontPage/4.0.4.3 PHP/4.1.2 mod_fastcgi/2.2.8
Last-Modified: Sat, 18 May 2002 06:05:35 GMT
ETag: "68807-9ff5-3ce5ef2f"
Accept-Ranges: bytes
Content-Length: 40949
Connection: close
Content-Type: text/html
Connection closed by foreign host.
(make sure you hit [Enter] twice after the "HEAD / HTTP/1.0"). Gets
you all of the information you need, and you don't have to do a
portscan. I have a perl script that automates the task if you would
like it, let me know.
allan
--
allan
allan@allan.org
http://www.allan.org
