by Doctor Electron
Computers can say funny and just plain weird things. Humans behind the scenes may or may not want to take credit.
The charming Net Census elves -- automated programs -- chat with computers all over in a relentless search for the lighter side of the internet. "xxx" blocks out real data in examples below:
DNS
"Host Name of the Month" winner:
xxx.xxx.47.215;didYouReallyThinkYouCouldScanOurReverseZones.xxx.com
Even Maj. Hog was stumped by this one. At first glance, this appeared to be a sex-oriented (...ScanOurReverseZones) web site hoping to provoke visitor interest (didYouReallyThinkYouCould...). A lookup of "reverse zones" revealed that this jargon can refer to something else -- a group of entries in a directory name server (DNS). With some explaining, even Maj. Hog could grasp that "scan" did not mean looking at the "reverse zones" of people (or hogs), but rather to a port scan of a computer.
A port scan of a computer at an IP address may be considered as anything from impolite to intrusive. The scanner may ask thousands of questions, so to speak, which can be bothersome, especially if the computer doesn't want to talk.
To make a long story short, the scanner may later lookup the host name of the scanned IP address and discover the host name contains a sort of personal message. This host may be trying to send a message to somebody. However, such a message is neither personal or private. Obtained from a web page log of visitors, this host browses the internet. It also seems to reveal that the address may be in the "reverse zone" list, something a scanner may not have known.
If you don't believe any of this, this may be just a sex site.
FTP
Here an FTP server announces:
220 ********* Warning Warning Warning *******
220-This FTP site is running a copy of WFTPD that is NOT REGISTERED
A public confession? Maybe by now they have it registered. Two other favorites are:
421 You are not permitted to make this connection.
501 Not permitted to connect to xxx.xxx.xxx.xxx
The writers of these commentaries are probably programmers who know how computers connect over the internet, but may not be 100% on what "not permitted" means. If the boss has said the connection between the two computers is "not permitted" then why does the host accept the connection? Oops. Maybe the boss is on vacation. I feel like saying, "If your Mom or Dad doesn't want us to talk, maybe we should respect that." Maybe the host computer "just wanted to hear my voice one last time."
In cases like those shown above, the host computer already can know a connection with a client computer is "not permitted" before accepting the connection since the request contains the correct internet protocol (IP) address of the source .
It works like this: (1) Client to host, "Can we talk? I include my number [IP address] for your reply." (2) Host to client, "Yes, I'm listening." (3) Client confirms to host, "Thank you." These steps are known as a TCP handshake. Then either the client or host can say what is on their mind.
The host can omit (2) ignoring the request, or the client can omit (3) perhaps hoping (maybe falsely) that the host will then not log the connection request (1).
The host may want to test if the client will complete the process of establishing a connection or not with (3) above. Why? Well, such a test is done by people interested in the unconventional (not completing the connection), looking for others who share their interest. No harm is done; both parties are willing participants in the game. So it may be sort of like a "club" activity, where at the end of the day, everyone can sit down and compare notes.
Also, if the client omits (3), it is unusual and may be a cause for suspicion by the host. Likewise, if the host sends (2) and then later states that the connection is "not permitted", that is also a cause for suspicion by the client since the host appears to be breaking its own rules by accepting the connection.
If not suspicion, the good-hearted client might worry that the operator of the host computer might get into trouble for accepting connections that the boss has apparently said are "not permitted." Note: Don't worry, we won't tell anyone; but don't let the boss catch you accepting connections that are "not permitted".
If you think of computers as just something that people use to talk with each other, it seems that the desire to communicate is irresistable, even if that is "not permitted". Maybe it is something like a parent telling a daughter, "Go tell that boy you are not permitted to talk to him."
Connection closed by remote host.
If the connection were closed, this message could not be sent. In conventional situations, there are only two parties -- the client and the remote host. If one didn't do it, it must be the other one, and each can detect by themselves if the other one "reset" the connection.
This one is also cute:
530 Connection refused, unknown IP address.
This computer is lying through its teeth. It well knows the IP address, or the message could not have been sent to the client program over the internet. Liar, liar. What is probably meant is that the client IP address is not on the "approved" or "authorized" list of the host computer.
This was received from a site in Poland (.pl):
220-You are connected to our server, please note that all hack attempts are reported to the FBI.
Doesn't Poland have its own law enforcement? As for the Net Census lab, if we report any "hack attempts", it would be to law enforcement of the country involved or just to the service provider of the suspect along with the evidence (which better be good). Note: In fact, we have never made such a report.
It seems these people are nervous. This 220 welcome message seems to say, "There are some gold bars in the back room." and "If you try to steal them, we'll call the cops". I would wonder, "Why are you telling me this?" Maybe it is like those copyright and FBI notices at the beginning of video rentals.
At any rate, Net Census welcomes its many visitors from Poland and sends greetings. If you have gold bars in the vault, keep your eye on them. And maybe you might consider dropping the broadcast of that fact over the internet. Suffice it to say that some bad guys might see your "gold is here" announcement.
SMTP
Servers that receive incoming email (SMTP) tend to be polite, as in these three examples:
Sorry, you are not authorized to make this connection.
555 no domain at this ip address. goodbye!
503 5.5.0 Not accepting any command except QUIT
If things don't work out, they are "sorry" and say "goodbye". In the last one, it is "I'll help you find your way out".
250 xxx.xxx.xxx.xxx Hello yyy.yyy.yyy [zzz.zzz.zzz.zzz] (may be forged), pleased to meet you
Above, the host name (yyy) and IP address (zzz) of the lab client program were correct, and the SMTP server looked up the host name all by itself. The "may be forged" part may seem to be a bit inhospitable or paranoid, but that message was obtained in a mail relay study where the client told the host that the mail was originating from itself, that is, the "postmaster" at the IP address of the host. Most hosts detect this trick which spammers could use, and may respond like this:
553 5.1.8 ... Domain of sender address postmaster@[xxx.xxx.xxx.xxx] does not exist
As the rest of these transcripts show, the good part is that these SMTP servers do not allow email relay which could be used for spamming. It might be amusing, however, that the server states that it is located in a place that "does not exist". This statement is clearly false since that message arrives in packets from the IP address that "does not exist".
Telnet
Illegal entry, please retry
Huh? If the entry was illegal, why retry it? Oh, wait a minute, they are probably trying to say, "We don't understand your request" or "Nice girls don't do that".
Host banner of the month:
Wilbur's Wacky Woost
The "not permitted" message above can be embellished:
U.S. GOVERNMENT COMPUTER If not authorized to access this system, disconnect now. YOU SHOULD HAVE NO EXPECTATION OF PRIVACY By continuing, you consent to your keystrokes being recorded.
Print, cut and paste this message on your own personal computer and substitute your initials for "U.S." Get the idea?
Access denied for user NetCensus by SecurID
If you want to do survey research, you should identify yourself as much as possible. In person-to-person contacts, this tends to make the other person more comfortable. Over the internet, the other computer already has your "ID" -- your IP address -- in the "Can we talk?" step (1) above. However, it is suggested that you go beyond that. Net Census identified itself above in the user name slot.
Notice that the host can't resist saying it uses SecurID. Venders of security products like to get their name out whenever possible; and maybe that is understandable as advertising. However, a malicious client now knows that SecurID is used and the next step (to do something malicious) might be to look up any known weaknesses of that product.
Check Point FireWall-1 authenticated Telnet server running on suicide3
suicide3? Either the administrator is depressed or I am turning around and running as fast as I can.
Permission Denied
Rough translation into English: If you ask anything, the answer will be "no".
More "gold in vault" announcements [my comments in brackets]:
*** WARNING: All login attempts are logged. Unauthorised use is prohibited. [Sounds slightly "bitter"; probably has been vicitmized in the past.]
Unauthorized access to this computer system and/or software is prohibited. -- Use of this system constitutes consent to security testing and monitoring. User: [and maybe full-body X-rays and brain implants, as well]
No authentication scheme for user NetCensus [How about solving a math problem?]
This system is for the use of authorized users only. Individuals using this computer system are subject to having their activities monitored and recorded by authorized company personnel. [Are all bets off if unauthorized company personnel do this?]
UNAUTHORIZED USE IS PROHIBITED AND MAY BE PROSECUTED [Previous intruders were found to be partially deaf, so this welcome shouts its message.]
Unauthorized use strictly prohibited. Violators shall be prosecuted to the fullest extent of the law. [I am no lawyer, but I think this may mean federal prison.]
You are not authorized to telnet to this box! Bye. [Maybe a hint of a real human being in this box.]
Wrong password! Try logging in again. [What good would that do if the password was wrong?]
You must have specific authorization to access this machine. Unauthorized users will be logged, monitored, and then shot on site! [Don't worry; they probably mean a photographic shot through your web camera.]
NOTICE -You are attempting to enter a private, restricted-user computer system. All access is logged and subject to real-time monitoring at any time and without notice. Authorized users only. [This host is so charming, its welcome is a false accusation. Probably there are also video cameras in the restrooms. Time to find more friendly company.]
The above "gold in vault" and "beware dog" announcements help both the good guys and the bad guys. The good guys know where they are not welcome. The bad guys learn where robberies might pay off [in a distorted view of reality, since most are likely to be caught.] The least revealing action may be for the host to refrain from accepting the connection, and thus nothing is said at all. However, some people can't resist talking, so we offer more polite and less revealing banners:
We are booked until year 2010. Sorry, for any inconvenience.
Mom said I can't come out and play.
Welcome. Valid commands are:
(1) Fomat our hard drives (connection will be lost).
(2) Download user names and passwords in plain text.
(3) List classified directories.
(4) Command prompt with root privileges.
(5) List federal prisons where inmates have internet connections in each cell.
But not everybody makes "gold in vault" and "beware dog" announcements:
TELNET session now in ESTABLISHED state
Of course, lack of a warning is not a license to misbehave.
Copyright © 2003 Global Services
Original publication: March 9, 2003
Back to Net Census