Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

nmap scan - remoteanything?
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
miunk
Apprentice
Apprentice


Joined: 24 Sep 2002
Posts: 199
PostPosted: Wed Aug 20, 2003 6:38 pm    Post subject: nmap scan - remoteanything? Reply with quote
Anyone know what "remoteanything" listening on port 4000 is? Is the fact that this is open cause for concern?
Back to top
View user's profile Send private message
amne
Bodhisattva
Bodhisattva


Joined: 17 Nov 2002
Posts: 6378
Location: Graz / EU
PostPosted: Wed Aug 20, 2003 7:05 pm    Post subject: Reply with quote
are you running mldonkey? if yes:
Code:
telnet 0 4000

and you have a text-interface.
if you didn't mess up with the config file, it should allow connections from localhost only :)
Back to top
View user's profile Send private message
miunk
Apprentice
Apprentice


Joined: 24 Sep 2002
Posts: 199
PostPosted: Wed Aug 20, 2003 7:35 pm    Post subject: Reply with quote
Yes I am constantly running mldonkey. And it seems that I am safe - telnet connections to my ip port 4000 from the outside fail.

Is there any danger that someone could spoof that they are actually connecting from localhost?
Back to top
View user's profile Send private message
zhenlin
Veteran
Veteran


Joined: 09 Nov 2002
Posts: 1361
PostPosted: Thu Aug 21, 2003 2:05 am    Post subject: Reply with quote
No. Even if they did, the recieving end would be at 127.0.0.1 as well.

That's the thing about TCP/IP. Spoofing your IP is only good for DoS attacks.
Back to top
View user's profile Send private message
devon
l33t
l33t


Joined: 23 Jun 2003
Posts: 943
PostPosted: Thu Aug 21, 2003 7:02 am    Post subject: Reply with quote
If the person knew the commands and what happens, he/she doesn't need output from the server. I can telnet to a mail server and make a message without ever seeing the response from the server since I know what I am doing. :)

So if there was a buffer overflow exploit, I don't care what the servers tells me. I would just craft a packet from 127.0.0.1 with the proper data and be done.
Back to top
View user's profile Send private message
zhenlin
Veteran
Veteran


Joined: 09 Nov 2002
Posts: 1361
PostPosted: Thu Aug 21, 2003 3:09 pm    Post subject: Reply with quote
Yes... But, watch :-

Code:

Legitmate:
xxx.xxx.xxx.xxx -> SYN(xxx.xxx.xxx.xxx, Ack: 0, Seq: CSEQ1) -> yyy.yyy.yyy.yyy
yyy.yyy.yyy.yyy -> SYN/ACK(yyy.yyy.yyy.yyy, Ack: CSEQ1, Seq: SSEQ1) -> xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx -> SYN(xxx.xxx.xxx.xxx, Ack: SSEQ1, Seq: CSEQ1) -> yyy.yyy.yyy.yyy

Connection established.

DoS:

mmm.mmm.mmm.mmm -> SYN(xxx.xxx.xxx.xxx, Ack: 0, Seq: MSEQ1) -> yyy.yyy.yyy.yyy
yyy.yyy.yyy.yyy -> SYN/ACK(yyy.yyy.yyy.yyy, Ack: MSEQ1, VSEQ1) -> xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx : Huh? I never sent a SYN with sequence number MSEQ1.

Connection failed.


So, you cannot even establish a connection if you spoof your IP - let alone send a malicious packet.

In any case, a good firewall should block packets claiming to have originated from 127.0.0.1
Back to top
View user's profile Send private message
devon
l33t
l33t


Joined: 23 Jun 2003
Posts: 943
PostPosted: Thu Aug 21, 2003 4:30 pm    Post subject: Reply with quote
zhenlin wrote:
So, you cannot even establish a connection if you spoof your IP - let alone send a malicious packet.

While a TCP connection would fail (assuming you cannot intercept the SYN/ACK somehow), I don't think a UDP connection would have that problem. If I am wrong, please let me know. This is all conjecture as I don't actively try to attack hosts. ;)
Back to top
View user's profile Send private message
viperlin
Veteran
Veteran


Joined: 15 Apr 2003
Posts: 1319
Location: UK
PostPosted: Sun Aug 31, 2003 2:15 am    Post subject: Reply with quote
i've been thinking about this alot since the SoBig virus came out (fakes the e-mail address and sending IP and everything in the headers)
i was wondering how it does it really.
I know how it can fake most info but how does it fake the "Received:" bit?
i assumed it was some form of IP spoof by entering your network card into promiscuous mode and changing the source address (like nmap does with the -S flag)
i've been trying it for fun but still no luck, i've been using my own smtp server and sending them to my other e-mail account and looking at the headers.
i can't figure out how i put my network card into Promiscuous mode and specify the source IP (it's done with ifconfig i think, it has the option) but cannot find the method or command to do it.
don't supose anyones played with this.
Back to top
View user's profile Send private message
SpinDizzy
n00b
n00b


Joined: 28 May 2003
Posts: 63
Location: Moss Vale, Australia
PostPosted: Sun Aug 31, 2003 3:28 am    Post subject: Reply with quote
AFAIK sobig doesn't fake the sending IP headers, just the senders address. You can inject fake received headers, but they are usually easily spotted by eyeball...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy