|
-
August 23rd, 2003, 05:56 AM
#1
Senior Member
weird nmap scan
hey guys i have a question i scanned a computer of a friend and get this.
Starting nmap V. 3.00 ( www.insecure.org/nmap )
Interesting ports on
(The 65487 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
69/tcp filtered tftp
110/tcp open pop-3
111/tcp filtered sunrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
449/tcp filtered as-servermap
513/tcp filtered login
514/tcp filtered shell
515/tcp filtered printer
555/tcp filtered dsf
1243/tcp filtered unknown
2049/tcp filtered nfs
2772/tcp filtered unknown
2773/tcp filtered unknown
3129/tcp filtered unknown
4045/tcp filtered lockd
4444/tcp filtered krb524
6669/tcp filtered unknown
6670/tcp filtered unknown
6711/tcp filtered unknown
6712/tcp filtered unknown
6776/tcp filtered unknown
6969/tcp filtered acmsoda
7000/tcp filtered afs3-fileserver
7100/tcp filtered font-service
7215/tcp filtered unknown
12345/tcp filtered NetBus
12346/tcp filtered NetBus
16660/tcp filtered unknown
16959/tcp filtered subseven
21544/tcp filtered unknown
23456/tcp filtered unknown
27374/tcp filtered subseven
27665/tcp filtered Trinoo_Master
30100/tcp filtered unknown
31337/tcp filtered Elite
31789/tcp filtered unknown
33270/tcp filtered unknown
39168/tcp filtered unknown
50505/tcp filtered unknown
54283/tcp filtered unknown
54320/tcp filtered bo2k
54321/tcp filtered unknown
65000/tcp filtered unknown
Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
Nmap run completed -- 1 IP address (1 host up) scanned in 565 seconds
is it just me or are some of those backdoors supposed to be for windows?
-
August 23rd, 2003, 06:13 AM
#2
Ugh.... I can hardly imagine there being that much running on maybe one single home user machine. I bet hes probably running some kinda IDS... you can make those show up as just about anything... pluse I've been seeing alot of programs (mainly games) useing just about any port it feels like communicating with... but either way have you just simply told/asked the guy about it?
-
August 23rd, 2003, 12:44 PM
#3
Remember, NMAP has no way of *truly* knowing what is running on those ports. It reads a database that has records of what typically listens on those ports. Until you actually walk up to the box and verify what it is, for all you know a webserver could be running on any of the trojan ports.
Take a closer look at the list. Port state "filtered" appears for many of the ports. Filtered means that a firewall, filter, or other network obstacle is covering the port and preventing nmap from determining whether the port is open. These ports will more than likely be unreachable anyway.
Also, I'd upgrade to NMAP 3.30. It has a more fingerprint definitions and some bug fixes.
http://www.insecure.org/
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
August 23rd, 2003, 04:07 PM
#4
Senior Member
Thanks. and yea i did ask the guy immediately when i saw all that stuff he just said "I dunno". But he is a game freak and plays just about every major game out so that is probably it. Thanks for your help.
-
August 24th, 2003, 01:05 AM
#5
I can't believe no one suggest it was a honey pot, it could be it scanned a router or something in between him and the guy he was scanning, and hit a router that was a honey pot, meaning it sucks "script kiddies" and "hackers" in, making them think all these ports are open.
-
August 24th, 2003, 07:42 AM
#6
As TH13 noted the ports are in state 'Filtered' what this really means is the packets are being rejected not just dropped. So, A. He has a weird ass firewall running, B. His ISP is blocking well known trojan ports at their perimeter to avoid problems for their customers (which is what I believe is happening). C. Something else I didn't think of. 
-Maestr0
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
August 24th, 2003, 11:32 AM
#7
Tsk, tsk. Micro 
I can't believe no one suggest it was a honey pot, it could be it scanned a router or something in between him...
Filtered means that a firewall, filter, or other network obstacle is covering the port...
It's ok, brain farts hit me every now and then too. 
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
August 24th, 2003, 11:36 PM
#8
Tsk, tsk. Micro
quote:
I can't believe no one suggest it was a honey pot, it could be it scanned a router or something in between him...
quote:
Filtered means that a firewall, filter, or other network obstacle is covering the port...
It's ok, brain farts hit me every now and then too.
Pffft, I didn't have a brain fart, I didn't read your post, I just kinda skimmed over it!
Besides, you never really said honeypot, but, I'm pretty sure that's what he is scanning...
-
August 25th, 2003, 04:02 AM
#9
Originally posted here by Maestr0
A. He has a weird ass firewall running,
B. His ISP is blocking well known trojan ports at their perimeter to avoid problems for their customers (which is what I believe is happening).
C. Something else I didn't think of.
i guess the answer is B.
my isp is filter that kind of port..... so if being port scanned it will show filtered. although that pc doesn't open that port.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
