RE: strange flickering ports
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there are known bugs like this in nmap. But this should only apear when using nmap local. Michael Schwarzbach +--+ | /"\ | | \ / | | X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL | | / \ | `~~' > -Original Message- > From: John Ferlito [mailto:[EMAIL PROTECTED] > Sent: Montag, 18. Juni 2001 09:21 > To: Sebastiaan > Cc: [EMAIL PROTECTED]; debian-security@lists.debian.org > Subject: Re: strange flickering ports > > > On Mon, Jun 18, 2001 at 09:14:54AM +0200, Sebastiaan wrote: > > >Hi... > > > > > >I have a box with something listening to "flickering" ports. > > >nmap reports various random ports open from run to run. I can't > > >telnet to them and ID w/ netstat, because they're gone the > > >instant nmap finds them. > > Hi, > > > > I have this regularily too. I would like to see this explained, > > but perhaps it is just an error in nmap? > > I've seen this too. My inital guess was that these were incoming > ftp ports from active ftp sessions but that didn't really make > sense on this particular box. Then I think I upgraded nmap and the > problem seemed to go away. > > > > > Greetz, > > Sebastiaan > > > > > > > > > > -- > > NT is the OS of the future. The main engine is the 16-bit > > Subsystem > > (also called MS-DOS Subsystem). Above that, there is the > > windoze 95/98 > > 16-bit Subsystem. Anyone can see that 16+16=32, so windoze NT > > is a > > *real* 32-bit system. > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > -- > John Ferlito > Senior Engineer - Bulletproof Networks > ph: +61 (0) 410 519 382 > http://www.bulletproof.net.au/ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOy3PWAUqVktPGYHYEQJhuwCgsyj+4xlsY4NXApioM6oQ40fCWW8AoOMW SdtJmumTCipJ8HfmQGIuaLDQ =S+q1 -END PGP SIGNATURE-
RE: strange flickering ports
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi there are known bugs like this in nmap. But this should only apear when using nmap local. Michael Schwarzbach +--+ | /"\ | | \ / | | X ASCII RIBBON CAMPAIGN - AGAINST HTML MAIL | | / \ | `~~' > -Original Message- > From: John Ferlito [mailto:[EMAIL PROTECTED]] > Sent: Montag, 18. Juni 2001 09:21 > To: Sebastiaan > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: strange flickering ports > > > On Mon, Jun 18, 2001 at 09:14:54AM +0200, Sebastiaan wrote: > > >Hi... > > > > > >I have a box with something listening to "flickering" ports. > > >nmap reports various random ports open from run to run. I can't > > >telnet to them and ID w/ netstat, because they're gone the > > >instant nmap finds them. > > Hi, > > > > I have this regularily too. I would like to see this explained, > > but perhaps it is just an error in nmap? > > I've seen this too. My inital guess was that these were incoming > ftp ports from active ftp sessions but that didn't really make > sense on this particular box. Then I think I upgraded nmap and the > problem seemed to go away. > > > > > Greetz, > > Sebastiaan > > > > > > > > > > -- > > NT is the OS of the future. The main engine is the 16-bit > > Subsystem > > (also called MS-DOS Subsystem). Above that, there is the > > windoze 95/98 > > 16-bit Subsystem. Anyone can see that 16+16=32, so windoze NT > > is a > > *real* 32-bit system. > > > > > > > > -- > > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > -- > John Ferlito > Senior Engineer - Bulletproof Networks > ph: +61 (0) 410 519 382 > http://www.bulletproof.net.au/ > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOy3PWAUqVktPGYHYEQJhuwCgsyj+4xlsY4NXApioM6oQ40fCWW8AoOMW SdtJmumTCipJ8HfmQGIuaLDQ =S+q1 -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: strange flickering ports
On Mon, Jun 18, 2001 at 09:14:54AM +0200, Sebastiaan wrote: > >Hi... > > > >I have a box with something listening to "flickering" ports. nmap > >reports various random ports open from run to run. I can't telnet to > >them and ID w/ netstat, because they're gone the instant nmap finds > >them. > Hi, > > I have this regularily too. I would like to see this explained, but > perhaps it is just an error in nmap? I've seen this too. My inital guess was that these were incoming ftp ports from active ftp sessions but that didn't really make sense on this particular box. Then I think I upgraded nmap and the problem seemed to go away. > > Greetz, > Sebastiaan > > > > > -- > NT is the OS of the future. The main engine is the 16-bit Subsystem > (also called MS-DOS Subsystem). Above that, there is the windoze 95/98 > 16-bit Subsystem. Anyone can see that 16+16=32, so windoze NT is a > *real* 32-bit system. > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- John Ferlito Senior Engineer - Bulletproof Networks ph: +61 (0) 410 519 382 http://www.bulletproof.net.au/
re: strange flickering ports
>Hi... > >I have a box with something listening to "flickering" ports. nmap >reports various random ports open from run to run. I can't telnet to >them and ID w/ netstat, because they're gone the instant nmap finds >them. Hi, I have this regularily too. I would like to see this explained, but perhaps it is just an error in nmap? Greetz, Sebastiaan -- NT is the OS of the future. The main engine is the 16-bit Subsystem (also called MS-DOS Subsystem). Above that, there is the windoze 95/98 16-bit Subsystem. Anyone can see that 16+16=32, so windoze NT is a *real* 32-bit system.
Re: strange flickering ports
On Mon, Jun 18, 2001 at 09:14:54AM +0200, Sebastiaan wrote: > >Hi... > > > >I have a box with something listening to "flickering" ports. nmap > >reports various random ports open from run to run. I can't telnet to > >them and ID w/ netstat, because they're gone the instant nmap finds > >them. > Hi, > > I have this regularily too. I would like to see this explained, but > perhaps it is just an error in nmap? I've seen this too. My inital guess was that these were incoming ftp ports from active ftp sessions but that didn't really make sense on this particular box. Then I think I upgraded nmap and the problem seemed to go away. > > Greetz, > Sebastiaan > > > > > -- > NT is the OS of the future. The main engine is the 16-bit Subsystem > (also called MS-DOS Subsystem). Above that, there is the windoze 95/98 > 16-bit Subsystem. Anyone can see that 16+16=32, so windoze NT is a > *real* 32-bit system. > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] -- John Ferlito Senior Engineer - Bulletproof Networks ph: +61 (0) 410 519 382 http://www.bulletproof.net.au/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
re: strange flickering ports
>Hi... > >I have a box with something listening to "flickering" ports. nmap >reports various random ports open from run to run. I can't telnet to >them and ID w/ netstat, because they're gone the instant nmap finds >them. Hi, I have this regularily too. I would like to see this explained, but perhaps it is just an error in nmap? Greetz, Sebastiaan -- NT is the OS of the future. The main engine is the 16-bit Subsystem (also called MS-DOS Subsystem). Above that, there is the windoze 95/98 16-bit Subsystem. Anyone can see that 16+16=32, so windoze NT is a *real* 32-bit system. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
strange flickering ports
Hi... I have a box with something listening to "flickering" ports. nmap reports various random ports open from run to run. I can't telnet to them and ID w/ netstat, because they're gone the instant nmap finds them. I can't see the culprit in the output of lsof. Does anyone here know what might be going on? If not, I might try writing a simple port scanner which leaves a connection open for netstat to track... TRANSCRIPT FOLLOWS: [EMAIL PROTECTED]:~$ nmap -p 1-1 localhost Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Interesting ports on localhost (127.0.0.1): PortState Protocol Service 9 opentcpdiscard 13 opentcpdaytime 22 opentcpssh 25 opentcpsmtp 37 opentcptime 80 opentcphttp 6000opentcpX11 8080opentcphttp-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 35 seconds [EMAIL PROTECTED]:~$ # everything looks fine [EMAIL PROTECTED]:~$ # all these are normal services, except 8080, which is a port [EMAIL PROTECTED]:~$ # tunnelled by ssh [EMAIL PROTECTED]:~$ nmap -p 1-1 localhost Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Strange read error from 127.0.0.1 (104): Operation now in progress Interesting ports on localhost (127.0.0.1): PortState Protocol Service 9 opentcpdiscard 13 opentcpdaytime 22 opentcpssh 25 opentcpsmtp 37 opentcptime 80 opentcphttp 3920opentcpunknown 6000opentcpX11 8080opentcphttp-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 35 seconds [EMAIL PROTECTED]:~$ # XXX something was listening on port 3920 [EMAIL PROTECTED]:~$ nmap -p 1-1 localhost Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Strange read error from 127.0.0.1 (104): Operation now in progress Interesting ports on localhost (127.0.0.1): PortState Protocol Service 9 opentcpdiscard 13 opentcpdaytime 22 opentcpssh 25 opentcpsmtp 37 opentcptime 80 opentcphttp 3537opentcpunknown 6000opentcpX11 8080opentcphttp-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds [EMAIL PROTECTED]:~$ # XXX now something was listening on port 3537 [EMAIL PROTECTED]:~$ # XXX also note the "Strange read error" [EMAIL PROTECTED]:~$ sudo lsof | gzip -c > lsof.gz # attached [EMAIL PROTECTED]:~$ nmap -p 1-1 localhost Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Interesting ports on localhost (127.0.0.1): PortState Protocol Service 9 opentcpdiscard 13 opentcpdaytime 22 opentcpssh 25 opentcpsmtp 37 opentcptime 80 opentcphttp 6000opentcpX11 8080opentcphttp-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 33 seconds [EMAIL PROTECTED]:~$ # everything's clear again -- Peter Eckersley http://www.cs.mu.oz.au/~pde ([EMAIL PROTECTED]) TLI: http://www.computerbank.org.au <.sig temporarily conservative pending divine intervention> GPG fingerprint: 30BF 6A78 2013 DCFA 5985 E255 9D31 4A9A 7574 65BC lsof.gz Description: Binary data pgpzkWCIADRog.pgp Description: PGP signature
strange flickering ports
Hi... I have a box with something listening to "flickering" ports. nmap reports various random ports open from run to run. I can't telnet to them and ID w/ netstat, because they're gone the instant nmap finds them. I can't see the culprit in the output of lsof. Does anyone here know what might be going on? If not, I might try writing a simple port scanner which leaves a connection open for netstat to track... TRANSCRIPT FOLLOWS: pde@xyz:~$ nmap -p 1-1 localhost Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Interesting ports on localhost (127.0.0.1): PortState Protocol Service 9 opentcpdiscard 13 opentcpdaytime 22 opentcpssh 25 opentcpsmtp 37 opentcptime 80 opentcphttp 6000opentcpX11 8080opentcphttp-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 35 seconds pde@xyz:~$ # everything looks fine pde@xyz:~$ # all these are normal services, except 8080, which is a port pde@xyz:~$ # tunnelled by ssh pde@xyz:~$ nmap -p 1-1 localhost Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Strange read error from 127.0.0.1 (104): Operation now in progress Interesting ports on localhost (127.0.0.1): PortState Protocol Service 9 opentcpdiscard 13 opentcpdaytime 22 opentcpssh 25 opentcpsmtp 37 opentcptime 80 opentcphttp 3920opentcpunknown 6000opentcpX11 8080opentcphttp-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 35 seconds pde@xyz:~$ # XXX something was listening on port 3920 pde@xyz:~$ nmap -p 1-1 localhost Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Strange read error from 127.0.0.1 (104): Operation now in progress Interesting ports on localhost (127.0.0.1): PortState Protocol Service 9 opentcpdiscard 13 opentcpdaytime 22 opentcpssh 25 opentcpsmtp 37 opentcptime 80 opentcphttp 3537opentcpunknown 6000opentcpX11 8080opentcphttp-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds pde@xyz:~$ # XXX now something was listening on port 3537 pde@xyz:~$ # XXX also note the "Strange read error" pde@xyz:~$ sudo lsof | gzip -c > lsof.gz # attached pde@xyz:~$ nmap -p 1-1 localhost Starting nmap V. 2.12 by Fyodor ([EMAIL PROTECTED], www.insecure.org/nmap/) Interesting ports on localhost (127.0.0.1): PortState Protocol Service 9 opentcpdiscard 13 opentcpdaytime 22 opentcpssh 25 opentcpsmtp 37 opentcptime 80 opentcphttp 6000opentcpX11 8080opentcphttp-proxy Nmap run completed -- 1 IP address (1 host up) scanned in 33 seconds pde@xyz:~$ # everything's clear again -- Peter Eckersley http://www.cs.mu.oz.au/~pde ([EMAIL PROTECTED]) TLI: http://www.computerbank.org.au <.sig temporarily conservative pending divine intervention> GPG fingerprint: 30BF 6A78 2013 DCFA 5985 E255 9D31 4A9A 7574 65BC lsof.gz PGP signature
