Hi everybody, yesterday I was about to update something in my MSN Space
and I found out something... Suddenly <a href="http://logginet.passport.com">logginet.passport.com</a> redirected
me to <a href="http://www.msn-int.com">www.msn-int.com</a> (<a href="http://65.54.202.62">65.54.202.62</a>) and at first I thought it was some
kinda spyware, so I Switched to Linux and tryed again, and again the
same... So I decided to check out with NMAP and I found out this:<br>
Starting Nmap 4.01 ( <a href="http://www.insecure.org/nmap/">http://www.insecure.org/nmap/</a> ) at 2006-03-04 03:03 CET<br>
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]<br>
Initiating SYN Stealth Scan against <a href="http://65.54.202.62">65.54.202.62</a> [1672 ports] at 03:03<br>
Discovered open port 80/tcp on <a href="http://65.54.202.62">65.54.202.62</a><br>
SYN Stealth Scan Timing: About 26.67% done; ETC: 03:05 (0:01:22 remaining)<br>
The SYN Stealth Scan took 102.54s to scan 1672 total ports.<br>
Initiating service scan against 1 service on <a href="http://65.54.202.62">65.54.202.62</a> at 03:05<br>
The service scan took 7.10s to scan 1 service on 1 host.<br>
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port<br>
For OSScan assuming port 80 is open, 39518 is closed, and neither are firewalled<br>
For OSScan assuming port 80 is open, 38324 is closed, and neither are firewalled<br>
Insufficient responses for TCP sequencing (3), OS detection may be less accurate<br>
For OSScan assuming port 80 is open, 41733 is closed, and neither are firewalled<br>
Host <a href="http://65.54.202.62">65.54.202.62</a> appears to be up ... good.<br>
Interesting ports on <a href="http://65.54.202.62">65.54.202.62</a>:<br>
(The 1671 ports scanned but not shown below are in state: filtered)<br>
PORT STATE SERVICE VERSION<br>
80/tcp open http Microsoft IIS webserver 6.0<br>
Device type: firewall<br>
Running (JUST GUESSING) : Netscreen ScreenOS (85%)<br>
Aggressive OS guesses: Netscreen 5XP firewall+vpn (os 4.0.3r2.0) (85%)<br>
No exact OS matches for host (test conditions non-ideal).<br>
TCP/IP fingerprint:<br>
SInfo(V=4.01%P=i686-pc-linux-gnu%D=3/4%Tm=4408F60C%O=80%C=-1)<br>
TSeq(Class=C%Val=1E240%IPID=Z%TS=U)<br>
T1(Resp=N)<br>
TSeq(Class=C%Val=1E240%IPID=Z%TS=U)<br>
T1(Resp=Y%DF=Y%W=7D77%ACK=S++%Flags=AS%Ops=)<br>
T2(Resp=N)<br>
T1(Resp=Y%DF=Y%W=7D77%ACK=S++%Flags=AS%Ops=)<br>
T2(Resp=N)<br>
T3(Resp=N)<br>
T2(Resp=N)<br>
T3(Resp=Y%DF=Y%W=7D76%ACK=O%Flags=AS%Ops=)<br>
T4(Resp=N)<br>
T3(Resp=Y%DF=Y%W=7D76%ACK=O%Flags=AS%Ops=)<br>
T4(Resp=N)<br>
T5(Resp=N)<br>
T4(Resp=N)<br>
T5(Resp=N)<br>
T6(Resp=N)<br>
T5(Resp=N)<br>
T6(Resp=N)<br>
T7(Resp=Y%DF=Y%W=7D78%ACK=S++%Flags=A%Ops=)<br>
T6(Resp=N)<br>
T7(Resp=Y%DF=Y%W=7D78%ACK=S++%Flags=A%Ops=)<br>
PU(Resp=N)<br>
T7(Resp=Y%DF=Y%W=7D78%ACK=S++%Flags=A%Ops=)<br>
PU(Resp=N)<br>
PU(Resp=N)<br>
<br>
TCP Sequence Prediction: Class=constant sequence number (!)<br>
Difficulty=0 (Trivial joke)<br>
IPID Sequence Generation: All zeros<br>
Service Info: OS: Windows<br>
<br>
Nmap finished: 1 IP address (1 host up) scanned in 140.366 seconds<br>
Raw packets sent: 3421 (153KB) | Rcvd: 2069 (98.1KB)<br>
<br>
<br>
So, literally MSN Network is derivating space's user's data trhough
some firewall to another host, perhaps just to increase something
in user's accounts...<br>
I also cheked out with a traceroute of the hops it was making... Until
hop 21 here there where no coincidence, diferent rotuers and diferent
gateways in the process... but then they started to center in
SAAVIS (both <a href="http://MSN.ES">MSN.ES</a> and <a href="http://MSN-INT.COM">MSN-INT.COM</a>) <br>
Now, should this be considered as a mere Microsoft new idea or is just a problem that I'm having?<br>
Maybe it's just me, but I want to be sure, seems like if Microsoft was about to change it's system network once again....<br>