Found an unauthorized server on our network. Here's an NMAP log:
- - -
# nmap (V. 3.00) scan initiated Fri Jun 27 14:11:47 2003 as: nmap -sS -PT -PI -I -R -O -T 3 -oN C:\Documents and Settings\dawi99\Skrivbord\10_1_1_253.log 10.1.1.253
Interesting ports on (10.1.1.253):
(The 1592 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
113/tcp open auth
199/tcp open smux
443/tcp open https
3389/tcp open ms-term-serv
13722/tcp open VeritasNetbackup
13782/tcp open VeritasNetbackup
13783/tcp open VeritasNetbackup
No exact OS matches for host (If you know what OS is running on it, see
http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.00%P=i686-pc-windows-windows%D=6/27%Time=3EFC34DB%O=22%C=1)
TSeq(Class=RI%gcd=1%SI=2B7DB1%IPID=I%TS=100HZ)
TSeq(Class=RI%gcd=1%SI=2BB11D%IPID=I%TS=100HZ)
TSeq(Class=RI%gcd=1%SI=42B4FA%IPID=I%TS=100HZ)
T1(Resp=Y%DF=Y%W=3F25%ACK=S++%Flags=AS%Ops=MENNTNW )
T2(Resp=Y%DF=N%W=7D78%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=3F25%ACK=S++%Flags=AS%Ops=MENNTNW )
T4(Resp=Y%DF=N%W=7D78%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=N%W=7D78%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=N%W=7D78%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RIPCK=E% UCK=E%ULEN=134%DAT=E)
Uptime 217.478 days (since Fri Nov 22 01:44:22 2002)
# Nmap run completed at Fri Jun 27 14:13:15 2003 -- 1 IP address (1 host up) scanned in 88 seconds
- - -
I want to know more about this server, in other words who has set it up. It has a private network IP that nothing else has in our net, and our routers shouldn't be routing to that network anyway, unless he got into the router and changed stuff.
Anyone have any ideas? How can I nail this guy? It's probably someone sitting on our cable-net.
Linear Mode
