[PLUG] nmap, curiosity, and courtesy

Evan Heidtmann clydefrog at adnap.no-ip.com
Sat Sep 18 11:04:02 PDT 2004


On Fri, 2004-09-17 at 07:34, Keith Lofstrom wrote:
> The attempted ssh breakins that show up in my logs are getting lengthier
> if not any more successful.  I am curious about the machines that are
> launching the attacks.  I can do DNS lookups on them, of course, but I
> am curious about flavor of Linux they are using, etc.  Among other things,
> this comes in handy when I am advising others about more vs. less secure
> versions of Linux.
> 
> I can run nmap against the offending machines, and find out more about
> them, but this seems impolite (Mom said "two wrongs do not make a
> right"),  and possibly a source of trouble.  What are the opinions here?

Another option to find out what kind of machine it is is to contact
their sshd:

$ telnet 62.193.225.66 22
Trying 62.193.225.66...
Connected to 62.193.225.66.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.5p1
^]
telnet> quit

Sometimes this can tell you what distro it is (no luck this time). On my
debian system this is what I see:

SSH-2.0-OpenSSH_3.8.1p1 Debian 1:3.8.1p1-8

Other people have found the attackers to be running an old RedHat.

Evan





More information about the PLUG mailing list