-
June 30th, 2004, 09:40 AM
#21
Hmm, go to http://www.chkrootkit.org/ and get chkrootkit and run it. Just to be sure, although, i think that tedob has hit the point here. Ive not seen an understandable answer here to what tedob has said. Are you scanning the boxes in the internal network, using the internal lan ip, or the real ip?? It would help to understand your network setup a bit better.
Cheers.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
-
June 30th, 2004, 12:25 PM
#22
Junior Member
The target is in the internet and i´m scanning the real IP from internet on eth0, but the target is behind adsl-router.
thanks
-
June 30th, 2004, 01:03 PM
#23
if both scan results are equal (scanning internet ip and scan internal ip address), i cant be the adsl-router. Port 80 must be open at host.
However, im confused. You've mencioned the "port is filtered or opened". Those 2 status are VERY diferent.
"port is opened" means that there is a process accepting connections at target host
"port is filtered" means that nmap couldnt get a response from host and its assuming that a firewall or equivalent is blocking requests to that port. I.E. if you configure netfilter with -J DROP on port 80, port will appear as "filtered".
if port is flaged as "opened", some one is accepting connections there. But if no process is listen to that port...only idea that come is a port redirect.
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
June 30th, 2004, 01:58 PM
#24
Junior Member
The port is opened and i have a iptables in this host with follow rule: iptables -P INPUT DROP
-
June 30th, 2004, 04:02 PM
#25
Now for the simple answer. If you're scanning from across the internet and port 80 is showing as open, don't worry about it. Lots of ISP's use transparent caching on port 80, and this is why port 80 appears to be open when in fact it's not.
To prove that port 80 isn't really open, try starting apache on the machine you scanned. If 80 is in use, apache will complain that it can't bind to the port and will refuse to run. If it starts and you can retrieve web pages from that PC, you can be sure it was appearing as open because of transparent caching.
To be doubly sure, you could use the perl script at www.cgi101.com that returns all your environment variables and view the page from the PC you used to scan from. If you don't understand what they mean, post the environment variables here, as transparent caching is very easy to spot from environment variables.
-
June 30th, 2004, 04:12 PM
#26
Junior Member
Only apache can be used for this test. I haven't apache installed on host, but i have others services, i.e. postfix, squid, samba.
Other information, i disabled ports 80/tcp and 80/udp in /etc/services
Thanks by help
-
June 30th, 2004, 05:00 PM
#27
hacinn. turn OFF your computer and leave the router turned on. go to someone elses computer and scan your ip address. unless you have set up the router to foward ports every reply the scan gives you will be coming from the router. if you dont have access to a scanner on anothers computer use the browser and go to your ip address: http://XX.XXX.XX.XXX. if you get a login box and you know your computer is turned off you'll have your answer
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
June 30th, 2004, 06:19 PM
#28
Junior Member
I unpluged the host target from internet and i leave router turn on. Then i ran nmap against IP address of the host (200.202.204.206), and the result show port 80 open. Then i ran nmap against router IP address and port 80 opened too.
My Host IP Internet My ADSL-router ADSL-router Target Host Target
200.201.202.204 -----> 200.201.202.200 ------->INTERNET --------> 200.202.204.205 ------->200.202.204.206
run nmap port 80 open port 80 open
I'm crazy
-
June 30th, 2004, 06:46 PM
#29
ok, if the host isnt there (unpluged from router) the 'open' can only be coming from the router...there is nowhere else fo it to come from. right?
use the browser on 200.201.202.204 and goto http://200.202.204.206. you'll get a login box. if you know the routers password you can get in.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
June 30th, 2004, 07:33 PM
#30
Junior Member
I tried to browse in http://200.202.204.206 and http://200.202.204.205, but the page not cann´t be showed.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|