RE: Data Interpretation

[Javier Becerra <JBecerra () newnetsa com>]

Hi Michael. Several malware programs are using ports for communication purposes with attackers. In the example you show 
us, NMAP find the SUBSEVEN, NETBUS and Elite default ports, but its state are "Filtered", what it means any kind of 
firewall or router is blocking them, so you don´t worry about it.If these ports were in "Open" state, you were in big 
trouble.

Javier Becerra Garavito
Senior Security Consultant
NewNet S.A.
Tel. (57) 4173400 Ext. 1221
Fax: 57) 4173400 Ext. 136
Móvil: (57) 3105757390
Av. Calle 17 Nº 60-72


-----Mensaje original-----
De: listbounce () securityfocus com [mailto:listbounce () securityfocus com] En nombre de Michael Lynch
Enviado el: Lunes, 16 de Marzo de 2009 03:28 p.m.
Para: security-basics () securityfocus com
Asunto: Data Interpretation


Hello,

First of all let me start by saying that
I have 4 days of experience with nmap

Last week a friend suggested that I download
and try nmap, at his suggestion I tried nmap
and found it very interesting.
After installation I tried a scan on a Linux computer
that I have, to test it out.
I found a few results that caught my eye, but I
cannot correctly interpret the results.
Could someone help me with the interpretation?



Here is what is in question!

Port  Protocol  State     Service

12345 tcp       filtered  netbus
27374 tcp       filtered  subseven
31337 tcp       filtered  Elite


Here is the command that I used:
nmap -PE -v -p1-65535 -PA21,23,80,3389 -A -T4 xxx.xxx.xxx.xxx  (XXX.= my IP address)

I initiated this scan using the Zenmap GUI

I know that all the services listed here are backdoor style breaches,
but does this mean that the machine has been infected by these or
that there has been an attempted attack with these?
Could someone please help me with this?


Thanks in advance,
Michael
------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a 
Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized 
certs available, online computer forensics training available.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------


"Este mensaje es confidencial, puede contener información privilegiada y no puede ser usado ni divulgado por personas 
distintas de su destinatario. Si obtiene esta transmisión por error, por favor destruya su contenido y avise al 
remitente. Está prohibida su retención, grabación, utilización o divulgación con cualquier propósito.

Este mensaje ha sido sometido a programas antivirus. No obstante, NewNet S.A. no asume ninguna responsabilidad por 
eventuales daños generados por el recibo y uso de este material, siendo responsabilidad del destinatario verificar con 
sus propios medios la existencia de virus u otros defectos.


--------------------------------------------------------------------------------

This message is confidential and may contain privileged information, it may not be used or disclosed by any person 
other than the individual to whom it is addressed. If obtained in error, please destroy the information received and 
contact the sender. Its retention, recording, use or distribution with any intention are prohibited.


This message has been tested by antivirus software. Nonetheless, NewNet S.A. assumes no responsibility for damages 
caused by the receipt or use of the material, given that it is the responsibility of the addressee to verify by his own 
means the presence of a virus or any other harmful defect."

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Find the source of cybercrime! Almost every crime today involves a computer or mobile device. Learn how to become a 
Computer Forensics Examiner in InfoSec Institute's hands-on Computer Forensics Course. Up to three industry recognized 
certs available, online computer forensics training available.

http://www.infosecinstitute.com/courses/computer_forensics_training.html
------------------------------------------------------------------------