[47940] in North American Network Operators' Group
Re: Re[2]: "portscans" (was Re: Arbor Networks DoS defense product)
daemon@ATHENA.MIT.EDU (E.B. Dreger)
Sat May 18 22:54:50 2002
Date: Sun, 19 May 2002 02:54:23 +0000 (GMT)
From: "E.B. Dreger" <eddy+public+spam@noc.everquick.net>
To: Allan Liska <allan@allan.org>
Cc: "nanog@merit.edu" <nanog@merit.edu>
In-Reply-To: <14539710077.20020518215034@allan.org>
Message-ID: <Pine.LNX.4.20.0205190242370.23354-100000@www.everquick.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
AL> Date: Sat, 18 May 2002 21:50:34 -0400
AL> From: Allan Liska
AL> [allan@ns1 phpdig]$ telnet www.istop.com 80
AL> Trying 216.187.106.194...
AL> Connected to dci.doncaster.on.ca (216.187.106.194).
AL> Escape character is '^]'.
AL> HEAD / HTTP/1.0
Or
lynx http://www.istop.com/
and press the '=' key for similar info. Or echo the HEAD request
to a program that opens a TCP socket. Or go to www.netcraft.com.
Of course, firewalls munching on TCP/IP can screw up IP stack
fingerprinting, causing nmap et al. to report "IIS on <favorite
*ix flavor>" when it really means "IIS on ??? behind firewall
running <favorite *ix flavor>".
I wonder how many people enjoy recompiling their *ix httpd to
report itself as IIS? Watch for requests matching certain IDS
strings... what was that again about mad fast honeypots? ;-)
--
Eddy
Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@brics.com>
To: blacklist@brics.com
Subject: Please ignore this portion of my mail signature.
These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@brics.com>, or you are likely to
be blocked.