[PLUG] nmap, curiosity, and courtesy
Evan Heidtmann
clydefrog at adnap.no-ip.com
Sat Sep 18 11:04:02 PDT 2004
On Fri, 2004-09-17 at 07:34, Keith Lofstrom wrote:
> The attempted ssh breakins that show up in my logs are getting lengthier
> if not any more successful. I am curious about the machines that are
> launching the attacks. I can do DNS lookups on them, of course, but I
> am curious about flavor of Linux they are using, etc. Among other things,
> this comes in handy when I am advising others about more vs. less secure
> versions of Linux.
>
> I can run nmap against the offending machines, and find out more about
> them, but this seems impolite (Mom said "two wrongs do not make a
> right"), and possibly a source of trouble. What are the opinions here?
Another option to find out what kind of machine it is is to contact
their sshd:
$ telnet 62.193.225.66 22
Trying 62.193.225.66...
Connected to 62.193.225.66.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.5p1
^]
telnet> quit
Sometimes this can tell you what distro it is (no luck this time). On my
debian system this is what I see:
SSH-2.0-OpenSSH_3.8.1p1 Debian 1:3.8.1p1-8
Other people have found the attackers to be running an old RedHat.
Evan
More information about the PLUG
mailing list