weird nmap scan
Results 1 to 9 of 9

Thread: weird nmap scan

  1. #1
    Senior Member
    Join Date
    Jan 2003
    Posts
    120

    weird nmap scan

    hey guys i have a question i scanned a computer of a friend and get this.


    Starting nmap V. 3.00 ( www.insecure.org/nmap )
    Interesting ports on
    (The 65487 ports scanned but not shown below are in state: closed)
    Port State Service
    21/tcp open ftp
    22/tcp open ssh
    25/tcp open smtp
    69/tcp filtered tftp
    110/tcp open pop-3
    111/tcp filtered sunrpc
    137/tcp filtered netbios-ns
    138/tcp filtered netbios-dgm
    139/tcp filtered netbios-ssn
    449/tcp filtered as-servermap
    513/tcp filtered login
    514/tcp filtered shell
    515/tcp filtered printer
    555/tcp filtered dsf
    1243/tcp filtered unknown
    2049/tcp filtered nfs
    2772/tcp filtered unknown
    2773/tcp filtered unknown
    3129/tcp filtered unknown
    4045/tcp filtered lockd
    4444/tcp filtered krb524
    6669/tcp filtered unknown
    6670/tcp filtered unknown
    6711/tcp filtered unknown
    6712/tcp filtered unknown
    6776/tcp filtered unknown
    6969/tcp filtered acmsoda
    7000/tcp filtered afs3-fileserver
    7100/tcp filtered font-service
    7215/tcp filtered unknown
    12345/tcp filtered NetBus
    12346/tcp filtered NetBus
    16660/tcp filtered unknown
    16959/tcp filtered subseven
    21544/tcp filtered unknown
    23456/tcp filtered unknown
    27374/tcp filtered subseven
    27665/tcp filtered Trinoo_Master
    30100/tcp filtered unknown
    31337/tcp filtered Elite
    31789/tcp filtered unknown
    33270/tcp filtered unknown
    39168/tcp filtered unknown
    50505/tcp filtered unknown
    54283/tcp filtered unknown
    54320/tcp filtered bo2k
    54321/tcp filtered unknown
    65000/tcp filtered unknown
    Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
    Nmap run completed -- 1 IP address (1 host up) scanned in 565 seconds


    is it just me or are some of those backdoors supposed to be for windows?
    http://www.AntiOnline.com/sig.php?imageid=517

    the Open Source model doesn\'t offer any great benefit in
    terms of reliability and security. -Bill Gates

  2. #2
    Banned
    Join Date
    Jul 2002
    Posts
    877
    Ugh.... I can hardly imagine there being that much running on maybe one single home user machine. I bet hes probably running some kinda IDS... you can make those show up as just about anything... pluse I've been seeing alot of programs (mainly games) useing just about any port it feels like communicating with... but either way have you just simply told/asked the guy about it?

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Remember, NMAP has no way of *truly* knowing what is running on those ports. It reads a database that has records of what typically listens on those ports. Until you actually walk up to the box and verify what it is, for all you know a webserver could be running on any of the trojan ports.

    Take a closer look at the list. Port state "filtered" appears for many of the ports. Filtered means that a firewall, filter, or other network obstacle is covering the port and preventing nmap from determining whether the port is open. These ports will more than likely be unreachable anyway.

    Also, I'd upgrade to NMAP 3.30. It has a more fingerprint definitions and some bug fixes.
    http://www.insecure.org/

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Posts
    120
    Thanks. and yea i did ask the guy immediately when i saw all that stuff he just said "I dunno". But he is a game freak and plays just about every major game out so that is probably it. Thanks for your help.
    http://www.AntiOnline.com/sig.php?imageid=517

    the Open Source model doesn\'t offer any great benefit in
    terms of reliability and security. -Bill Gates

  5. #5
    Developer Extraordinar
    Join Date
    Jul 2002
    Location
    Internets
    Posts
    571
    I can't believe no one suggest it was a honey pot, it could be it scanned a router or something in between him and the guy he was scanning, and hit a router that was a honey pot, meaning it sucks "script kiddies" and "hackers" in, making them think all these ports are open.
    Come to UnError.com

  6. #6
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    As TH13 noted the ports are in state 'Filtered' what this really means is the packets are being rejected not just dropped. So, A. He has a weird ass firewall running, B. His ISP is blocking well known trojan ports at their perimeter to avoid problems for their customers (which is what I believe is happening). C. Something else I didn't think of.

    -Maestr0


    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Tsk, tsk. Micro

    I can't believe no one suggest it was a honey pot, it could be it scanned a router or something in between him...
    Filtered means that a firewall, filter, or other network obstacle is covering the port...
    It's ok, brain farts hit me every now and then too.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    Developer Extraordinar
    Join Date
    Jul 2002
    Location
    Internets
    Posts
    571
    Tsk, tsk. Micro

    quote:
    I can't believe no one suggest it was a honey pot, it could be it scanned a router or something in between him...


    quote:
    Filtered means that a firewall, filter, or other network obstacle is covering the port...


    It's ok, brain farts hit me every now and then too.
    Pffft, I didn't have a brain fart, I didn't read your post, I just kinda skimmed over it!

    Besides, you never really said honeypot, but, I'm pretty sure that's what he is scanning...
    Come to UnError.com

  9. #9
    Member AZL's Avatar
    Join Date
    May 2002
    Location
    WBKK
    Posts
    45
    Originally posted here by Maestr0
    A. He has a weird ass firewall running,
    B. His ISP is blocking well known trojan ports at their perimeter to avoid problems for their customers (which is what I believe is happening).
    C. Something else I didn't think of.

    i guess the answer is B.
    my isp is filter that kind of port..... so if being port scanned it will show filtered. although that pc doesn't open that port.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •