Results 1 to 8 of 8

Thread: What are those ports for ??

  1. #1
    Moderator
    Good Guru
    Compunuts's Avatar
    Join Date
    May 2001
    Location
    California
    Posts
    3,935

    What are those ports for ??

    The following is the result of a scan for the host under my care.

    Code:
    (The 1532 ports scanned but not shown below are in state: closed)
    Port    State    Service
    12/tcp   filtered  unknown         
    22/tcp   open    ssh           
    25/tcp   open    smtp          
    80/tcp   open    http          
    192/tcp  filtered  osu-nms         
    1524/tcp  filtered  ingreslock       
    12345/tcp filtered  NetBus         
    12346/tcp filtered  NetBus         
    27665/tcp filtered  Trinoo_Master      
    31337/tcp filtered  Elit
    So the ports that are here as "filtered" are the hosts that had been denied with the following rule sets.

    Example code;
    Code:
    $IPCHAINS -A input -p tcp -s $REMOTENET -d $OUTDERNET 1524 -j DENY -l
    So it showed up as "filtered". I tried that with a few ports and it all showed up as "filtered". What if I don't want them to show up as "filtered" when I scan but would also like to put in the chain to make sure I'm blocking them ??

    Or is it that someone had already hacked and that leaving those port temporarily blocked??
    What do you guys think??

    I'm using "pmfirewall" BTW.

    TIA.

  2. #2

    Re: What are those ports for ??

    As far as I know, Netbus is a cousin to Back Orifice and Trinoo Master is akin to Tribal Flood Network, which is a DDS tool. If those are really on that box, I would be a little worried. If I were you, I would think about reinstalling the box, then writing your own iptables rules that block everything by default and allow only that wjich is expilictly allowed. Also, make sure you are current on all versions of patches for all apps, be they network or local.

  3. #3
    Moderator
    Good Guru
    Compunuts's Avatar
    Join Date
    May 2001
    Location
    California
    Posts
    3,935

    Re: What are those ports for ??

    Well, first of all, this box is Debian GNU/Linux box so I'm not so sure what this Netbus is doing there.... Other than that, I run apt-get update once every two days or so ... so I think I'm pretty up to date. I also do not have alot of software on this box ( it's stricky a gateway box with some HTTP and SSH ) so it's fairly easy to keep an eye on.

    Thanks for your input.

  4. #4

    Re: What are those ports for ??

    Well, first of all, this box is Debian GNU/Linux box so I'm not so sure what this Netbus is doing there
    That is odd. I didn't even think of what OS you might be running. They could very well be false positives, or misidentified services (which is most likely the case). *However, these are a lot of high-numbered ports to have open, especially if you don't know what's running on them. Just for kicks, why not log all ip packets destined for those ports. If you truly have a trinoo master running on your box, *then someone must be trying to connect to it from it's client program (the trinoo client signals the trinoo master, which then launches a DOS attack against a third party). Chances are that the logged packets will come from the jerk that is messing with your box and will not be spoofed. Keep your logs and email them to your ISP's net abuse team.

  5. #5

    Re: What are those ports for ??

    One more time someone misreads nmap output !
    Everything is 100% all right.
    If you DENY access to a port it means there will be no packets sent back to the scanning host. Normally a closed port replies to a TCP scan with a TCP packet with RST flag set. You want this behaviour use REJECT instead of DENY. nmap is intelligent enough to identify a port as filtered when no packets come back from it, but host is surely up (eg. replied to a ping probe or sent an RST packet from any other port).
    Ports marked as filtered are closed.

    I recommend # man nmap before using.

  6. #6
    Moderator
    Good Guru
    Compunuts's Avatar
    Join Date
    May 2001
    Location
    California
    Posts
    3,935

    Re: What are those ports for ??


    One more time someone misreads nmap output !
    That why I asked, right??
    Everything is 100% all right.
    That's definitely a good thing to hear ....
    If you DENY access to a port it means there will be no packets sent back to the scanning host. Normally a closed port replies to a TCP scan with a TCP packet with RST flag set.
    So the basic idea is that if the scanner received reset, then it's closed. Otherwise, it's open ??

    You want this behaviour use REJECT instead of DENY.
    What would a DROP would do? Would thins also create FILTERED PORT??

    nmap is intelligent enough to identify a port as filtered when no packets come back from it, but host is surely up (eg. replied to a ping probe or sent an RST packet from any other port).
    That's why Nmap is so popular.
    Ports marked as filtered are closed.
    That's what I wanted to know. Thank you.
    I recommend # man nmap before using.
    I did but still there is so much $hit to learn ..... ;D

  7. #7

    Re: What are those ports for ??



    So the basic idea is that if the scanner received reset, then it's closed. Otherwise, it's open ??
    When the protocol used is TCP (it's different for UDP !):
    If the scanner received a packet with RST flag set (and correct sequence numbers) then the port is closed.
    If the scanner received a packet with SYN and ACK flags set (and ...) then the port is open.
    If the scanner didn't receive anything back then it doesn't know whether the port is open or closed, assumes existence of a packet filter and marks the port as filtered, therefore unreachable.
    If the scanner received a packet with any other combination of flags or bad sequence numbers, then it's utterly confused (in fact I have no idea what nmap does in such situation).


    What would a DROP would do? Would thins also create FILTERED PORT??
    DROP is IPTables equivalent of DENY - a TCP port would show up as filtered.

    hth

  8. #8
    Moderator
    Good Guru
    Compunuts's Avatar
    Join Date
    May 2001
    Location
    California
    Posts
    3,935

    Re: What are those ports for ??


    Great information andrzej. Appreciated.

    I now know why those ports show up as filtered. Since I use pmfirewall, the author included those ports rules in the rules set. When I disabled them ( by commenting out temporarily ), the filtered ports disappeared.

    Great ... Thanks again... both of you.

Similar Threads

  1. USB Ports
    By mcdougrs in forum Linux - Hardware, Networking & Security
    Replies: 3
    Last Post: 05-04-2004, 08:13 PM
  2. Ports in OS X?
    By ifred in forum BSD
    Replies: 4
    Last Post: 09-30-2003, 01:41 AM
  3. >3 lp ports
    By gschlut in forum Linux - General Topics
    Replies: 2
    Last Post: 10-03-2002, 11:37 AM
  4. BSD & Ports
    By saintNiX in forum BSD
    Replies: 1
    Last Post: 12-29-2001, 11:54 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •