So there I was this morning, checking out a random website. Well not so random. I used the services of resumecourier.ca the other week to blast my resume around agencies in this and neighbouring provinces.
Anyways, some place said they weren’t looking to hire at the moment blah blah blah. I decided to check them out, see who they are, just in case they might be useful to contact later.
The owners of conroyross didn’t appear to me to be all that web-savvy, and the glitzy but useless flash intro on their site as well as the obviously broken microsoftiousness led me to send an email to their web designer firm. I found their link at the bottom of the broken site’s pages.
Sent: Monday, November 01, 2004 10:09 AM
Subject: conroyross.com - asp/odbc site is broken
One of your clients has a series of broken pages on their asp/odbc driven website. You might want to look into it.
I initally got back a thank you email, followed by an invite to contact them for whatever reason they may have.
Hmm. Since I’m looking for opportunities for my little consulting company, let’s check techworks out. A few greps thru my web server logs, a whois, and a traceroute later, I’m sifting thru their website reading their propaganda.
Looks like they service little soho/sme businesses, the same target niche as Cyberdex. Cool. Maybe they need a hand.
While reading their site, I got a second email :
Subject: RE: conroyross.com - asp/odbc site is broken
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Date: Mon, 1 Nov 2004 16:09:00 -0700
From: “Ron Johannesson” ronj @techworks.ca
Why are we receiving a portscan from your server?
protocol:UDP, source: 126.96.36.199, destination: 188.8.131.52,
ports: 33440, 33441, 33442, 33443, 33444, 33445, 33446, 33447, 33448,
Oh my. I best check my servers. Immediately I replied that I was unaware of what this was and that I would investigate. Mucho apologies, all I remember doing was a whois and a few greps thru my web log before looking at their site, and that I tend to only portscan ip’s that are actively attacking me with virus/worms etc as an investigatory aid.
A bit of digging around later I discover that this is the udp port range that traceroute uses when it does it’s thing. Ah. No problem. I relay this to them.
Why do you need to do a whois/traceroute or any scanning of our server?
Uhh…. Listen here Microsoft weenie. First you have a Windows 2000 server attached to the internet, running Exchange Server and IIS. Even with whatever firewall device you have in front or maybe even just in software, this is a very bad idea.
I of course don’t tell him that… he would just get all huffy. Well, he probably got all huffy from what I DID send, which was :
Standard internet investigative tools, to find out where a server is, who runs it, etc. This stuff is public knowledge, you can’t hide it. Nothing sinister meant by any of this. Just idle curiousity.
Get over it.
Traceroute is not portscanning. It is not an attack. Neither is whois or a number of other network admin tools. They are simply information gathering devices to determine where a server is, who owns it, and so forth.
People who get their security/privacy knickers in a twist over these tools being used against their servers had best get the fsck out of the way, off the internet, before they have a coronary. This is the way the net works. Grab a clue.