( NOTE : This is a small tale of what happens when you get a bored person like me, who happens to run a small personal .org webserver and a pretty much empty CS server , and suddenly have nothing to do and it's late at night, and you just happen to notice that something weird is in the logs....
It's pretty much within the stuff for this kind of group, you'll see. )
It's late. I can't sleep. I work in *checks watch* 4hours and 40 minutes. I check to see if people went to the webpage today. Tail the log, and suddenly i see this oddity right there :
[sub]220.170.88.7 - - [28/Dec/2003:04:12:47 -0500] "GET HTTP/1.1" 200 1203[/sub]
Now, between you, me and the bum living on the corner downtown... i KNOW that yahoo.com is sure as hell not being directed towards my humble fixed IP abode... so immediatly the line shines like a chrismas tree in the middle of a forest.
The hell is that from, I ask myself...
[sub]whois 220.170.88.7
% [whois.apnic.net node-2]
% Whois data copyright terms inetnum: 220.168.0.0 - 220.170.255.255
netname: CHINANET-HN
descr: CHINANET Hunan province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
[/sub]
Riigghhttt....So somebody in china thinks i'm interesting ? Fat chance. Oh well....you poke me, i poke you back.
[sub]nmap 220.170.88.7
Starting nmap ( ) at 2003-12-28 05:56 EST
Interesting ports on 220.170.88.7:
(The 1627 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
80/tcp open http
135/tcp filtered loc-srv
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1025/tcp open NFS-or-IIS
1027/tcp open IIS
1433/tcp open ms-sql-s
1755/tcp open wms
3372/tcp open msdtc
5631/tcp open pcanywheredata
6666/tcp open irc-serv
8080/tcp open http-proxy
Nmap run completed -- 1 IP address (1 host up) scanned in 14.763 seconds[/sub]
Well.... banzai i guess. Whoever is running that mobo down over there is being massively idiotic , stupid, or both. Notice the IRC , FTP and pcanywhere server.... ooohh... shiny.<i> By now, i know something is definitly not norma about this thing. I decide to investigate </i>
The webpage shows chineese gliberish. the https site doesn't seem to be connecting. FTP server ? let's see...
[sub]ftp anonymous@220.170.88.7
Connected to 220.170.88.7.
220 Serv-U FTP Server v4.0 for WinSock ready...
530 Sorry, no ANONYMOUS access allowed.
ftp: Login failed.
ftp> quit
221 Goodbye![/sub]
Ok... so there's no anonymous logins here. Mmmm....What kind of ftp server is this trick running anyhow ? You know what ? When in doubt, always remember that google is your friend ( ). And behind result number two, we find our answer (
Pretty interesting what you can learn from one line at the end of your access logs, huh? Interesting note is that this appears to be over a year and a half old and yet still right on the money.
Alright... this is the end of the smallish experience. Discuss.
_____________________________
when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried.
It's pretty much within the stuff for this kind of group, you'll see. )
It's late. I can't sleep. I work in *checks watch* 4hours and 40 minutes. I check to see if people went to the webpage today. Tail the log, and suddenly i see this oddity right there :
[sub]220.170.88.7 - - [28/Dec/2003:04:12:47 -0500] "GET HTTP/1.1" 200 1203[/sub]
Now, between you, me and the bum living on the corner downtown... i KNOW that yahoo.com is sure as hell not being directed towards my humble fixed IP abode... so immediatly the line shines like a chrismas tree in the middle of a forest.
The hell is that from, I ask myself...
[sub]whois 220.170.88.7
% [whois.apnic.net node-2]
% Whois data copyright terms inetnum: 220.168.0.0 - 220.170.255.255
netname: CHINANET-HN
descr: CHINANET Hunan province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
[/sub]
Riigghhttt....So somebody in china thinks i'm interesting ? Fat chance. Oh well....you poke me, i poke you back.
[sub]nmap 220.170.88.7
Starting nmap ( ) at 2003-12-28 05:56 EST
Interesting ports on 220.170.88.7:
(The 1627 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
80/tcp open http
135/tcp filtered loc-srv
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1025/tcp open NFS-or-IIS
1027/tcp open IIS
1433/tcp open ms-sql-s
1755/tcp open wms
3372/tcp open msdtc
5631/tcp open pcanywheredata
6666/tcp open irc-serv
8080/tcp open http-proxy
Nmap run completed -- 1 IP address (1 host up) scanned in 14.763 seconds[/sub]
Well.... banzai i guess. Whoever is running that mobo down over there is being massively idiotic , stupid, or both. Notice the IRC , FTP and pcanywhere server.... ooohh... shiny.<i> By now, i know something is definitly not norma about this thing. I decide to investigate </i>
The webpage shows chineese gliberish. the https site doesn't seem to be connecting. FTP server ? let's see...
[sub]ftp anonymous@220.170.88.7
Connected to 220.170.88.7.
220 Serv-U FTP Server v4.0 for WinSock ready...
530 Sorry, no ANONYMOUS access allowed.
ftp: Login failed.
ftp> quit
221 Goodbye![/sub]
Ok... so there's no anonymous logins here. Mmmm....What kind of ftp server is this trick running anyhow ? You know what ? When in doubt, always remember that google is your friend ( ). And behind result number two, we find our answer (
Pretty interesting what you can learn from one line at the end of your access logs, huh? Interesting note is that this appears to be over a year and a half old and yet still right on the money.
Alright... this is the end of the smallish experience. Discuss.
_____________________________
when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried.
