Is it possible for Nessus and Netstat under win2k to get confused about what is really a "listener"?

[James Bowman <jim () drexel edu>]

Is it possible for Nessus and Netstat under win2k to get confused about what is really a "listener"?

Here's the scenario:

I scan a win2k IIS server using Nessus.  Get back say 11 open ports.  I scan it again with NMAP and get back different 
numbers of open ports.  I then scan it again, using the NMAP capabilities under Nessus.  I again get differing numbers 
of open ports, some ports being suspect, (e.g. TCP 1120 and 1032).  

I immediately investigate the box itself using netstat -an.  I see roughly 12 Listeners, some of which again have me 
worried, (TCP 1120, 1032).

I Install fport and active ports, close some MS unneeded services, reboot and suspect ports are gone.  Fport and active 
ports were worthless, probably due to lock down procedures.

Question is - "is it possible that Nessus and Netstat were reading an established connection or were these real 
listeners?"

Anyone else have a similar experience?

Searches show 1120 as possibly Netbus and 1032 as ICQ.  

---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_pen-test_031015
----------------------------------------------------------------------------