Re: Strange open ports on windows machines

[Mikael Olsson <mikael.olsson () enternet se>]

First off:
I'm assuming that you did your scan across the internet, and that you passed
a screening router on the way (maybe your OWN packet screening router?)

Comments inline...

Christoph Schneeberger wrote:
> Hi,
>
> I'm sorry if this is complete stupid but I can't explain what's going on.
>
> While scanning a customers public corporate website (on request) with nmap
> (2.3BETA6 and 2.02) I found the following open ports:
> Port    State       Protocol  Service
> 21      open        tcp       ftp
> 25      open        tcp       smtp
> 80      open        tcp       http
> 135     open        tcp       loc-srv
> 139     open        tcp       netbios-ssn
> 443     open        tcp       https
> 465     open        tcp       smtps
> 1027    open        tcp       unknown
> 1030    open        tcp       iad1
> 12345   filtered    tcp       NetBus
          ^^^^^^^^^
Notice "filtered", that means that nmap is not getting ANY responses back from that port
(ie DROP rather than REJECT on a firewall ruleset).
This does NOT mean it is open, or that there's something running on the port

> and udp:
> Port    State       Protocol  Service
> 135     open        udp       loc-srv
> 137     open        udp       netbios-ns
> 138     open        udp       netbios-dgm
> 31337   open        udp       BackOrifice
          ^^^^^

I'm betting this is a false positive actually... They are probably DROPping all packets
to 31337 in their firewall, that's why nmap thinks that the ports are open.
You detect "open" UDP ports by NOT getting an "ICMP_UNREACH" message when you send
data on it; this is exactly what happens if the packets get DROPped by the firewall.

> -Connected with telnet to port 12345 of that machine and expected a banner
>         No luck (probably it has IP restrictions, a feature of netbus)

I'm betting the firewall had your packets for breakfast; they didn't even get
close to the actual server. Did you try this from the local net or did you do
it through the firewall/router?

> -Checking Registry and Disk for known malicious executables
>         No luck

Maybe 'cause they're not there? :-)

> -Checking services and running process for unknown things
>         Nothing strange or special (screenshot available)
> -Installing Norman Data Defense AntiVirus with latest definitions
>         Nothing found
> -Removing Norman and installing the latest Norton Antivirus for NT with
> latest definitions
>         Nothing found
> -Running netstat -an on the server in question
>         The two ports 12345 tcp and 31337 udp where not shown, all other listening
> services were shown as expected.

Hummm.. I'm about to reach a conclusion :-)

> -installing Back Orificer Friendly from http://www.nfr.net/bof/ on the
> server (I hoped it would complain not being able to listen to 31337 udp)
>         Started and did not complain
> -I then connected to the server with 'netcat -u 31337' and typed some
> random chars which should normally trigger bof to pop-up and notify the user
>         Nothing happened, all other ports like i.e. pop3 triggered bof immediately
>
> So, am I missing a chapter or does this look like something really strange ?
> What next steps would one take now ?

Do your nmap scan from the same LAN that the server is on, compare the scans.


-- 
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 105 50           Fax: +46 (0)660 122 50
Mobile: +46 (0)70 248 00 33
WWW: http://www.enternet.se        E-mail: mikael.olsson () enternet se