One thing about nmap... depending on the scan type, it will show you a port
number, protocol, it's state and then give a name for a common service that
uses that port. It doesn't mean that the port is actually making use of that
port.
So, if nmap gets a response during it's scan from port 31337, then it will
provide you with the above information and provide a name for some service
that COULD use that port. It doesn't mean that it IS using that port.
I did a scan of my local school network last year with nmap. On just about
every windoze box it detected, it indicated port "31337/tcp open
Backorifice". I notified the school IT guys and they looked into it and I
also asked Fyoder (the maintainer/creator of nmap) about it. He indicates
essentially what I said. If a port gives some sort of nmap-understandable
reply, then nmap will identify the port and give you the name of a service
that may use that port.
If I have port 21 open on my system, even if I am NOT running an ftp server,
and scan it with nmap, it will list "ftp" as the service associated with that
port.
In any case, it is EXTREMELY unlikely that someone would have hacked into
your friend's system so soon after an install and setup. The attacker would
first need reconnoiter the system and then, perhaps, run a few apps/scripts
(a script kiddie activity) that exploit commonly known vulnerabilities. Once
in, the kiddie then uploads some files, etc. This takes at least SOME time.
What sort of connection does this system use? DHCP on DSL? Static IP on
DSL? Phone? Connected via a LAN?
On Wednesday 07 February 2001 10:08, dany allard you wrote:
> A friend of mine just setup his firewall with a striped down version of
> Mandrake 7.2 using rc.firewall.
>
> The strange thing is that when I scan the machine (nmap) I see the
> following port open.
>
> 31337/tcp filtered Elite
>
> The only use I know for that port is for back doors.
[...]
--
Against stupidity, the gods themselves contend in vain.