Firewall Wizards mailing list archives
Re: Strange open ports on windows machines
From: Mikael Olsson <mikael.olsson () enternet se>
Date: Mon, 25 Oct 1999 14:39:17 +0200
First off: I'm assuming that you did your scan across the internet, and that you passed a screening router on the way (maybe your OWN packet screening router?) Comments inline... Christoph Schneeberger wrote:
Hi, I'm sorry if this is complete stupid but I can't explain what's going on. While scanning a customers public corporate website (on request) with nmap (2.3BETA6 and 2.02) I found the following open ports: Port State Protocol Service 21 open tcp ftp 25 open tcp smtp 80 open tcp http 135 open tcp loc-srv 139 open tcp netbios-ssn 443 open tcp https 465 open tcp smtps 1027 open tcp unknown 1030 open tcp iad1 12345 filtered tcp NetBus
^^^^^^^^^ Notice "filtered", that means that nmap is not getting ANY responses back from that port (ie DROP rather than REJECT on a firewall ruleset). This does NOT mean it is open, or that there's something running on the port
and udp: Port State Protocol Service 135 open udp loc-srv 137 open udp netbios-ns 138 open udp netbios-dgm 31337 open udp BackOrifice
^^^^^ I'm betting this is a false positive actually... They are probably DROPping all packets to 31337 in their firewall, that's why nmap thinks that the ports are open. You detect "open" UDP ports by NOT getting an "ICMP_UNREACH" message when you send data on it; this is exactly what happens if the packets get DROPped by the firewall.
-Connected with telnet to port 12345 of that machine and expected a banner No luck (probably it has IP restrictions, a feature of netbus)
I'm betting the firewall had your packets for breakfast; they didn't even get close to the actual server. Did you try this from the local net or did you do it through the firewall/router?
-Checking Registry and Disk for known malicious executables No luck
Maybe 'cause they're not there? :-)
-Checking services and running process for unknown things Nothing strange or special (screenshot available) -Installing Norman Data Defense AntiVirus with latest definitions Nothing found -Removing Norman and installing the latest Norton Antivirus for NT with latest definitions Nothing found -Running netstat -an on the server in question The two ports 12345 tcp and 31337 udp where not shown, all other listening services were shown as expected.
Hummm.. I'm about to reach a conclusion :-)
-installing Back Orificer Friendly from http://www.nfr.net/bof/ on the server (I hoped it would complain not being able to listen to 31337 udp) Started and did not complain -I then connected to the server with 'netcat -u 31337' and typed some random chars which should normally trigger bof to pop-up and notify the user Nothing happened, all other ports like i.e. pop3 triggered bof immediately So, am I missing a chapter or does this look like something really strange ? What next steps would one take now ?
Do your nmap scan from the same LAN that the server is on, compare the scans. -- Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50 Mobile: +46 (0)70 248 00 33 WWW: http://www.enternet.se E-mail: mikael.olsson () enternet se
Current thread:
- Strange open ports on windows machines Christoph Schneeberger (Oct 21)
- Re: Strange open ports on windows machines Michael H. Warfield (Oct 23)
- Re: Strange open ports on windows machines Kaptain (Oct 25)
- Re: Strange open ports on windows machines Michael H. Warfield (Oct 25)
- Re: Strange open ports on windows machines David LeBlanc (Oct 26)
- whoops David LeBlanc (Oct 27)
- Re: Strange open ports on windows machines Kaptain (Oct 25)
- Re: Strange open ports on windows machines Arnd Vehling (Oct 28)
- Re: Strange open ports on windows machines Michael H. Warfield (Oct 23)
- <Possible follow-ups>
- RE: Strange open ports on windows machines Russ (Oct 25)
- RE: Strange open ports on windows machines Christoph Schneeberger (Oct 25)
- RE: Strange open ports on windows machines Russ (Oct 25)
- Re: Strange open ports on windows machines Randy Witlicki (Oct 25)
- RE: Strange open ports on windows machines Steve McQuade (Oct 26)
- RE: Strange open ports on windows machines Bill Stout (Oct 26)
- RE: Strange open ports on windows machines La Cholter, William J. (Oct 26)
- RE: Strange open ports on windows machines Lance Spitzner (Oct 27)
- RE: Strange open ports on windows machines Ben Nagy (Oct 26)