% sudo nmap -sS 24.73.99.22 -F -sS -O Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-10 20:53 CEST Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Interesting ports on rrcs-se-24-73-99-22.biz.rr.com (24.73.99.22): (The 1657 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 25/tcp open smtp 31337/tcp open Elite Device type: general purpose Running: Microsoft Windows NT/2K/XP OS details: Microsoft Windows 2000 SP4 or Windows XP SP1 Nmap run completed -- 1 IP address (1 host up) scanned in 764.288 seconds
% nc 24.73.99.22 31337 GET http://linuxfr.org/ HTTP/1.0 HTTP/1.0 403 Access Forbidden Content-Type: text/html <HTML><HEAD><TITLE>407 Proxy Authentication Required</TITLE></HEAD><BODY><H1>Proxy Authentication Required</H1><H4>Unable to complete request<P>Access denied due to authentication failure.</H4><HR></BODY></HTML>
% nc 24.73.99.22 25 220 dell SMTP service ready HELP 214 Help message HELO plop 250 Requested mail action okay, completed. MAIL FROM:<> 250 Requested mail action okay, completed. RCPT TO:<postmaster> 451 Requested action aborted: local error in processing % nc 24.73.99.22 25 220 dell SMTP service ready HELO plop 250 Requested mail action okay, completed. MAIL FROM:<test@yahoo.fr> 250 Requested mail action okay, completed. RCPT TO:<test@mama.org> 521 dell does not accept mail RCPT TO:<postmaster> 451 Requested action aborted: local error in processing
Un port 31337 d'ouvert, un serveur SMTP complétement cassé. La question est : est-ce une machine compromise par un spammeur ou une machine appartenant simplement à des spammeurs ?
Le reverse DNS ressemble à une machine particulière (rr.com semble être un ISP) donc y a toutes les chances pour que cette pauvre machine sous Microsoft Windows soit compromise.
En conséquence, iptables droppe les connexions venant de cette machine à défaut de tarpit