# nmap scan - remoteanything?

## miunk

Anyone know what "remoteanything" listening on port 4000 is?  Is the fact that this is open cause for concern?

----------

## amne

are you running mldonkey? if yes:

```
telnet 0 4000
```

and you have a text-interface.

if you didn't mess up with the config file, it should allow connections from localhost only  :Smile: 

----------

## miunk

Yes I am constantly running mldonkey.  And it seems that I am safe - telnet connections to my ip port 4000 from the outside fail.

Is there any danger that someone could spoof that they are actually connecting from localhost?

----------

## zhenlin

No. Even if they did, the recieving end would be at  127.0.0.1 as well.

That's the thing about TCP/IP. Spoofing your IP is only good for DoS attacks.

----------

## devon

If the person knew the commands and what happens, he/she doesn't need output from the server. I can telnet to a mail server and make a message without ever seeing the response from the server since I know what I am doing.  :Smile: 

So if there was a buffer overflow exploit, I don't care what the servers tells me. I would just craft a packet from 127.0.0.1 with the proper data and be done.

----------

## zhenlin

Yes... But, watch :-

```

Legitmate:

xxx.xxx.xxx.xxx -> SYN(xxx.xxx.xxx.xxx, Ack: 0, Seq: CSEQ1) -> yyy.yyy.yyy.yyy

yyy.yyy.yyy.yyy -> SYN/ACK(yyy.yyy.yyy.yyy, Ack: CSEQ1, Seq: SSEQ1) -> xxx.xxx.xxx.xxx

xxx.xxx.xxx.xxx -> SYN(xxx.xxx.xxx.xxx, Ack: SSEQ1, Seq: CSEQ1) -> yyy.yyy.yyy.yyy

Connection established.

DoS:

mmm.mmm.mmm.mmm -> SYN(xxx.xxx.xxx.xxx, Ack: 0, Seq: MSEQ1) -> yyy.yyy.yyy.yyy

yyy.yyy.yyy.yyy -> SYN/ACK(yyy.yyy.yyy.yyy, Ack: MSEQ1, VSEQ1) -> xxx.xxx.xxx.xxx

xxx.xxx.xxx.xxx : Huh? I never sent a SYN with sequence number MSEQ1.

Connection failed.

```

So, you cannot even establish a connection if you spoof your IP - let alone send a malicious packet.

In any case, a good firewall should block packets claiming to have originated from 127.0.0.1

----------

## devon

 *zhenlin wrote:*   

> So, you cannot even establish a connection if you spoof your IP - let alone send a malicious packet.

 

While a TCP connection would fail (assuming you cannot intercept the SYN/ACK somehow), I don't think a UDP connection would have that problem. If I am wrong, please let me know. This is all conjecture as I don't actively try to attack hosts.  :Wink: 

----------

## viperlin

i've been thinking about this alot since the SoBig virus came out (fakes the e-mail address and sending IP and everything in the headers)

i was wondering how it does it really. 

I know how it can fake most info but how does it fake the "Received:" bit?

i assumed it was some form of IP spoof by entering your network card into promiscuous mode and changing the source address (like nmap does with the -S flag)

i've been trying it for fun but still no luck, i've been using my own smtp server and sending them to my other e-mail account and looking at the headers.

i can't figure out how i put my network card into Promiscuous mode and specify the source IP (it's done with ifconfig i think, it has the option) but cannot find the method or command to do it.

don't supose anyones played with this.

----------

## SpinDizzy

AFAIK sobig doesn't fake the sending IP headers, just the senders address. You can inject fake received headers, but they are usually easily spotted by eyeball...

----------

