nmap scan - remoteanything?

Message

miunk · Post by **miunk** » Wed Aug 20, 2003 6:38 pm

Anyone know what "remoteanything" listening on port 4000 is? Is the fact that this is open cause for concern?

amne · Post by **amne** » Wed Aug 20, 2003 7:05 pm

are you running mldonkey? if yes:

Code: Select all

telnet 0 4000

and you have a text-interface.
if you didn't mess up with the config file, it should allow connections from localhost only

miunk · Post by **miunk** » Wed Aug 20, 2003 7:35 pm

Yes I am constantly running mldonkey. And it seems that I am safe - telnet connections to my ip port 4000 from the outside fail.

Is there any danger that someone could spoof that they are actually connecting from localhost?

zhenlin · Post by **zhenlin** » Thu Aug 21, 2003 2:05 am

No. Even if they did, the recieving end would be at 127.0.0.1 as well.

That's the thing about TCP/IP. Spoofing your IP is only good for DoS attacks.

devon · Post by **devon** » Thu Aug 21, 2003 7:02 am

If the person knew the commands and what happens, he/she doesn't need output from the server. I can telnet to a mail server and make a message without ever seeing the response from the server since I know what I am doing.

So if there was a buffer overflow exploit, I don't care what the servers tells me. I would just craft a packet from 127.0.0.1 with the proper data and be done.

zhenlin · Post by **zhenlin** » Thu Aug 21, 2003 3:09 pm

Yes... But, watch :-

Code: Select all

Legitmate:
xxx.xxx.xxx.xxx -> SYN(xxx.xxx.xxx.xxx, Ack: 0, Seq: CSEQ1) -> yyy.yyy.yyy.yyy
yyy.yyy.yyy.yyy -> SYN/ACK(yyy.yyy.yyy.yyy, Ack: CSEQ1, Seq: SSEQ1) -> xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx -> SYN(xxx.xxx.xxx.xxx, Ack: SSEQ1, Seq: CSEQ1) -> yyy.yyy.yyy.yyy

Connection established.

DoS:

mmm.mmm.mmm.mmm -> SYN(xxx.xxx.xxx.xxx, Ack: 0, Seq: MSEQ1) -> yyy.yyy.yyy.yyy
yyy.yyy.yyy.yyy -> SYN/ACK(yyy.yyy.yyy.yyy, Ack: MSEQ1, VSEQ1) -> xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx : Huh? I never sent a SYN with sequence number MSEQ1.

Connection failed.

So, you cannot even establish a connection if you spoof your IP - let alone send a malicious packet.

In any case, a good firewall should block packets claiming to have originated from 127.0.0.1

devon · Post by **devon** » Thu Aug 21, 2003 4:30 pm

zhenlin wrote:So, you cannot even establish a connection if you spoof your IP - let alone send a malicious packet.

While a TCP connection would fail (assuming you cannot intercept the SYN/ACK somehow), I don't think a UDP connection would have that problem. If I am wrong, please let me know. This is all conjecture as I don't actively try to attack hosts.

viperlin · Post by **viperlin** » Sun Aug 31, 2003 2:15 am

i've been thinking about this alot since the SoBig virus came out (fakes the e-mail address and sending IP and everything in the headers)
i was wondering how it does it really.
I know how it can fake most info but how does it fake the "Received:" bit?
i assumed it was some form of IP spoof by entering your network card into promiscuous mode and changing the source address (like nmap does with the -S flag)
i've been trying it for fun but still no luck, i've been using my own smtp server and sending them to my other e-mail account and looking at the headers.
i can't figure out how i put my network card into Promiscuous mode and specify the source IP (it's done with ifconfig i think, it has the option) but cannot find the method or command to do it.
don't supose anyones played with this.

SpinDizzy · Post by **SpinDizzy** » Sun Aug 31, 2003 3:28 am

AFAIK sobig doesn't fake the sending IP headers, just the senders address. You can inject fake received headers, but they are usually easily spotted by eyeball...