|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: Odd identd behavior
From: Andrew Simmons (asimmons
messagelabs.com)
Date: Mon Nov 14 2005 - 14:38:20 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>> This looks like the output from an FTP server. If I had to guess, I would
>> say that this looks like someone compromised a machine and installed a
>> warez ftp server on the identd port.
>>
>
>
>You're right, it does look like that. I didn't even think
> that it might be a standard service running on a different
> port.
>
nmap -sV -p [port] -v is your friend. Nmap service scan will identify the service (http, ldap, whatever), the server's name (apache, openldap,..) and version number (to some approximation) very reliably these days. The most rrecent version of nmap included lots of new service fingerprints; if it's a custom warez server it may still fingerprint as something recognisable, and if not, that in itself tells you something.
\a
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]