[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri Mar 3 10:39:39 2006
From: nocfed at gmail.com (nocfed)
Subject: New MSN Servers
On 3/3/06, ZeuZ <zeuz.netraptor@...il.com> wrote:
> Hi everybody, yesterday I was about to update something in my MSN Space and
> I found out something... Suddenly logginet.passport.com redirected me to
> www.msn-int.com (65.54.202.62) and at first I thought it was some kinda
> spyware, so I Switched to Linux and tryed again, and again the same... So I
> decided to check out with NMAP and I found out this:
> Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2006-03-04 03:03
> CET
> DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0,
> SF: 0, TR: 1, CN: 0]
> Initiating SYN Stealth Scan against 65.54.202.62 [1672 ports] at 03:03
> Discovered open port 80/tcp on 65.54.202.62
> SYN Stealth Scan Timing: About 26.67% done; ETC: 03:05 (0:01:22 remaining)
> The SYN Stealth Scan took 102.54s to scan 1672 total ports.
> Initiating service scan against 1 service on 65.54.202.62 at 03:05
> The service scan took 7.10s to scan 1 service on 1 host.
> Warning: OS detection will be MUCH less reliable because we did not find
> at least 1 open and 1 closed TCP port
> For OSScan assuming port 80 is open, 39518 is closed, and neither are
> firewalled
> For OSScan assuming port 80 is open, 38324 is closed, and neither are
> firewalled
> Insufficient responses for TCP sequencing (3), OS detection may be less
> accurate
> For OSScan assuming port 80 is open, 41733 is closed, and neither are
> firewalled
> Host 65.54.202.62 appears to be up ... good.
> Interesting ports on 65.54.202.62:
> (The 1671 ports scanned but not shown below are in state: filtered)
> PORT STATE SERVICE VERSION
> 80/tcp open http Microsoft IIS webserver 6.0
> Device type: firewall
> Running (JUST GUESSING) : Netscreen ScreenOS (85%)
> Aggressive OS guesses: Netscreen 5XP firewall+vpn (os 4.0.3r2.0) (85%)
> No exact OS matches for host (test conditions non-ideal).
> TCP/IP fingerprint:
> SInfo(V=4.01%P=i686-pc-linux-gnu%D=3/4%Tm=4408F60C%O=80%C=-1)
> TSeq(Class=C%Val=1E240%IPID=Z%TS=U)
> T1(Resp=N)
> TSeq(Class=C%Val=1E240%IPID=Z%TS=U)
> T1(Resp=Y%DF=Y%W=7D77%ACK=S++%Flags=AS%Ops=)
> T2(Resp=N)
> T1(Resp=Y%DF=Y%W=7D77%ACK=S++%Flags=AS%Ops=)
> T2(Resp=N)
> T3(Resp=N)
> T2(Resp=N)
> T3(Resp=Y%DF=Y%W=7D76%ACK=O%Flags=AS%Ops=)
> T4(Resp=N)
> T3(Resp=Y%DF=Y%W=7D76%ACK=O%Flags=AS%Ops=)
> T4(Resp=N)
> T5(Resp=N)
> T4(Resp=N)
> T5(Resp=N)
> T6(Resp=N)
> T5(Resp=N)
> T6(Resp=N)
> T7(Resp=Y%DF=Y%W=7D78%ACK=S++%Flags=A%Ops=)
> T6(Resp=N)
> T7(Resp=Y%DF=Y%W=7D78%ACK=S++%Flags=A%Ops=)
> PU(Resp=N)
> T7(Resp=Y%DF=Y%W=7D78%ACK=S++%Flags=A%Ops=)
> PU(Resp=N)
> PU(Resp=N)
>
> TCP Sequence Prediction: Class=constant sequence number (!)
> Difficulty=0 (Trivial joke)
> IPID Sequence Generation: All zeros
> Service Info: OS: Windows
>
> Nmap finished: 1 IP address (1 host up) scanned in 140.366 seconds
> Raw packets sent: 3421 (153KB) | Rcvd: 2069 (98.1KB)
>
>
> So, literally MSN Network is derivating space's user's data trhough some
> firewall to another host, perhaps just to increase something in user's
> accounts...
> I also cheked out with a traceroute of the hops it was making... Until hop
> 21 here there where no coincidence, diferent rotuers and diferent gateways
> in the process... but then they started to center in SAAVIS (both MSN.ES
> and MSN-INT.COM)
> Now, should this be considered as a mere Microsoft new idea or is just a
> problem that I'm having?
> Maybe it's just me, but I want to be sure, seems like if Microsoft was
> about to change it's system network once again....
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
Do you expect them to only have one peer?
Do you expect them to not use load balancing but only 1 server?
I fail to see a point here.
Powered by blists - more mailing lists