[H-GEN] nmap scans

Paul Gearon pag at PISoftware.com
Sun Dec 15 19:57:21 EST 2002 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Mon, 16 Dec 2002, Johann Kwiatkowski wrote:
<snip/>
> Then the other day I discovered nmap, a did a probe on
> what services I was actually exporting to the external interface, and
> too my horror I got this response:
>
> Port       State       Service
> 22/tcp     open        ssh
> 25/tcp     open        smtp
> 80/tcp     open        http
> 110/tcp    open        pop-3
> 139/tcp    filtered    netbios-ssn
> 443/tcp    open        https
> 12345/tcp  filtered    NetBus
> 12346/tcp  filtered    NetBus
> 31337/tcp  filtered    Elite
>
> I new the Elite and the Netbus ones weren't meant to be there, a check
> revealed that Elite was part of a trojan involving ssh about a year ago)
> so my immediate thought was that I'd been hacked.

Things probably aren't as bad as they appear.  Firstly, after nmap does a
port scan it shows the service *most*often* associated with the ports that
it finds.  As such, I think you'll find that you aren't actually running
NetBus and Elite.  One way to find out which programs how these ports open
is to run "netstat -lp -A inet" as root.  The -l option shows you all the
listening services and the -p option tells you which process is listening,
if that info is available.  Unfortunately, it isn't always, but root can
normally see it.  The "-A inet" option is to restrict it to only show
internet protocol ports (tcp and udp).

Next, you'll notice that these ports are marked as "filtered", not "open".
That means that no one can make a connection on these ports.  I've heard
it argued that this is actually better than having a port closed because
an attempt to connect to a closed port will be immediately rejected
(allowing an attacker or script kiddy to continue on to other ports
quickly), while "filtered" ports accept the attempted connection packet
and then never respond, forcing the attacker to time out.  Script kiddies
hate being slowed down like that.  :-)  (Of course, a real attacker would
write their own program that didn't serialise attacks like that, but
script kiddies aren't known for being bright).  I'm sure such an argument
is only likely to start a debate here, which is why it's fun to mention it
;-)

Finally, if you can't track these services down, you're really upset by
them, and you *still* think it's possible that a really fast attacker is
cracking you during installation, then reinstall without being connected
to the internet, and run nmap on yourself.  You might not see those
services as being "filtered" anymore (it'll depend on your iptables
rules), but if they're still there then they came with the installation.

Regards,
Paul Gearon

Software Engineer                Telephone:   +61 7 3876 2188
Plugged In Software              Fax:         +61 7 3876 4899
http://www.PIsoftware.com        PGP Key available via finger

Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum
immane mittam.
(Translation from latin: "I have a catapult. Give me all the money,
or I will fling an enormous rock at your head.")



--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list