nmap localhost

Printable View

November 14th, 2006, 08:35 PM
yellowcat

nmap localhost

hello there all
i just did an nmap on my gatway pc and found i have ftp (23) open

but i do not have ftp installed

well at least i do not think i have

i have abyss web server, overseaer running and that is it

can i use nmap to work out what ftp server is running?
November 14th, 2006, 08:46 PM
nebulus200

What OS?

I'm going to assume Windows XP SP2:
start->run->cmd.exe
netstat -nab

It will list all open ports and what programs have them open.

If not, try downloading Fport from Foundstone, it will do the same thing.
November 14th, 2006, 08:54 PM
yellowcat

yes sorry win xp (sorry!!)

i knew about netstat but not the keys will go upstaris and have ago

very useful
November 14th, 2006, 09:07 PM
Opus00

Um, port 23 is telnet , not ftp
November 15th, 2006, 03:01 AM
kr5kernel

have you tried connecting to it?
November 16th, 2006, 07:17 PM
yellowcat

sorry it is port 21 and nmap says it is open
and no can not connect to it

this scares me some what

i did put nessus server on there some time ago and can not remember if i set it to run as a service and i am sure that does not use port 21

ps i tried to connect using opera/explorer and command line telnet

any other ideas?

ppss

netstat -nab did not show up any port 21 programme running
November 16th, 2006, 07:26 PM
nebulus200

Did it show any port 21 at all?
Try fport from foundstone: http://www.foundstone.com/resources/...file=fport.zip

Probably wouldn't hurt to run hijaack this and post both results here (be sure to peruse through it to sanitize):
http://www.spywareinfo.com/~merijn/p...php#hijackthis
November 16th, 2006, 08:06 PM
yellowcat

ok here is the fport results taken off the local machine
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid Process Port Proto Path
736 abyssws -> 80 TCP E:\Abyss Web Server\abyssws.exe
1348 -> 135 TCP
4 System -> 139 TCP
640 Overseer -> 443 TCP C:\Program Files\Sequreware\Overseer\Overseer.exe
4 System -> 445 TCP
1544 LEXPPS -> 1025 TCP C:\WINDOWS\system32\LEXPPS.EXE
2716 -> 1040 TCP
2432 nessusd -> 1241 TCP C:\Program Files\Tenable\Nessus\nessusd.exe
1460 mDNSResponder -> 5354 TCP C:\Program Files\Bonjour\mDNSResponder.exe
736 abyssws -> 9999 TCP E:\Abyss Web Server\abyssws.exe
196 avgemc -> 10110 TCP C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
3416 ashMaiSv -> 12025 TCP C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
3496 ashWebSv -> 12080 TCP C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
3416 ashMaiSv -> 12110 TCP C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
3416 ashMaiSv -> 12119 TCP C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
3416 ashMaiSv -> 12143 TCP C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

0 System -> 53 UDP
0 System -> 123 UDP
3416 ashMaiSv -> 123 UDP C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
3014656 -> 137 UDP
0 System -> 137 UDP
0 System -> 138 UDP
736 abyssws -> 445 UDP E:\Abyss Web Server\abyssws.exe
1348 -> 500 UDP
640 Overseer -> 1026 UDP C:\Program Files\Sequreware\Overseer\Overseer.exe
4 System -> 1035 UDP
1544 LEXPPS -> 1041 UDP C:\WINDOWS\system32\LEXPPS.EXE
0 System -> 1042 UDP
736 abyssws -> 1055 UDP E:\Abyss Web Server\abyssws.exe
4 System -> 1372 UDP
0 System -> 1900 UDP
2716 -> 2549 UDP
2432 nessusd -> 2550 UDP C:\Program Files\Tenable\Nessus\nessusd.exe
1460 mDNSResponder -> 2551 UDP C:\Program Files\Bonjour\mDNSResponder.exe
196 avgemc -> 2552 UDP C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
3416 ashMaiSv -> 2553 UDP C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
3496 ashWebSv -> 2554 UDP C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
0 System -> 2725 UDP
3416 ashMaiSv -> 3380 UDP C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
3416 ashMaiSv -> 4500 UDP C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
0 System -> 5353 UDP

and here is the nmap results from a remote machine

Starting nmap 3.93 ( http://www.insecure.org/nmap ) at 2006-11-16 19:58 GMT Standard Time
Interesting ports on 192.168.2.3:
(The 1662 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
9999/tcp open abyss
MAC Address: ************* (Intel Corporate)

Nmap finished: 1 IP address (1 host up) scanned in 21.992 seconds

any thoughts?
November 16th, 2006, 08:58 PM
nebulus200

What did hijaack this report?
When you ran netstat earlier, it should have also listed all open connections, with both source/destination IPs followed by a : with the last number being the port that was open. Did any of those show port 21?

It's pretty odd that you have nmap reporting the port open and neither FPORT (a separate known-good binary) nor nestat see anything. I'm also assuming your AV is up to date and you've done a full scan recently?

Would be curious to see the hijaack this results, if you don't want to post them, feel free to PM.
November 17th, 2006, 03:49 AM
brokencrow

Download and install Active Ports. Run it while you try connecting
from another PC on the LAN. That should yield the .exe that's acting
as the ftp server.

You might also go over the services running on the offending PC.
Close examination should give you some clues too.