On Sun, 2002-06-09 at 16:19, Terry Browning wrote: > Also, `nmap -sS -p 1-65535 127.0.0.1` says: > 8000/tcp open unknown > 8200/tcp open unknown > 10000/tcp open unknown > > and `nmap -sS -P0 -p 1-65535 <my ppp0 ipaddress>` says: > All 65535 scanned ports on (...) are: filtered > > Is that a good sign? Has nmap been fooled by an LKM? Have I wasted time > chasing my tail?
One thing I forgot to mention in my last mail - I have seen an attacker be tricky enough to set up firewall rules that only allowed their machine to connect to their backdoor, so it wouldn't show up on a scan. Not common, but I've seen it. Matt
