I figured out what is going on. I wasn't understanding correctly the nmap output. "filtered" doesn't mean that it has some special status on the router, i.e., that it is "open" in some way. It just means that it is blocked by some other networking gear between the router I am trying to test and the machine I am testing it from. I would guess that it is being filtered by my cable modem provider.
Now it makes sense why http also shows up as "filtered" since they don't let that through either. Thanks everyone for your help. I feel better now that I figured out what was going on. Best, Justin Nathan Kennedy wrote: > Running chkrootkit is the right thing to do. Maybe Justin's system is > hacked? > > -ntk > > >> Strange, my nmap looks like this: >> >> nmap -p 1-40000 deleuze.hcoop.net >> >> Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-03-29 >> 18:46 CEST >> Interesting ports on deleuze.hcoop.net (69.90.123.67): >> Not shown: 39984 closed ports >> PORT STATE SERVICE >> 21/tcp open ftp >> 23/tcp open telnet >> 25/tcp open smtp >> 53/tcp open domain >> 70/tcp open gopher >> 111/tcp open rpcbind >> 113/tcp open auth >> 389/tcp open ldap >> 749/tcp open kerberos-adm >> 935/tcp open unknown >> 993/tcp open imaps >> 995/tcp open pop3s >> 1053/tcp open unknown >> 2105/tcp open eklogin >> 2222/tcp open unknown >> 3306/tcp open mysql >> >> Nmap finished: 1 IP address (1 host up) scanned in 425.651 seconds >> >> >> nmap mire.hcoop.net >> >> Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-03-29 >> 18:54 CEST >> Interesting ports on 69.90.123.68: >> Not shown: 1673 closed ports >> PORT STATE SERVICE >> 22/tcp open ssh >> 53/tcp open domain >> 80/tcp open http >> 111/tcp open rpcbind >> 113/tcp open auth >> 443/tcp open https >> 875/tcp open unknown >> >> Nmap finished: 1 IP address (1 host up) scanned in 36.929 seconds >> >> >> >> There's no mention of the subseven port.. And nothing is bound to it >> on deleuze. (sudo fuser -v -n tcp PORT ). >> >> >> >> I also downloaded and ran chkrootkit (something I do periodically on >> all machines), and there's nothing suspicious. >> >> >> Is it possible that you somehow misinterpreted the results? Say, by >> your workstation's strange interaction with firewalls/whatever on >> your outgoing link ? >> >> If you run the scan again, and you see the same things, then it's a >> quirk on your end. >> >> >> >>> Also deleuze reports telnet being open, which doesn't seem necessary. >>> Telnetting to the machine gives me the following message (machine being >>> reported as deleuze.phq.org. because of my local network setup): >>> >>> [EMAIL PROTECTED] ~]$ telnet deleuze >>> Trying 69.90.123.67... >>> Connected to deleuze.phq.org (69.90.123.67). >>> Escape character is '^]'. >>> telnetd: No authentication provided. >>> Connection closed by foreign host. >>> >> Disabled in inetd.conf, along with kshell and klogin.. I am not sure >> but those might have been enabled when you installed openbsd-inetd. >> >> -doc >> >> _______________________________________________ >> HCoop-SysAdmin mailing list >> [email protected] >> http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin >> >> > > > > _______________________________________________ > HCoop-SysAdmin mailing list > [email protected] > http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin > _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
