Re: [expert] quick security question.
A friend of mine just setup his firewall with a striped down version of Mandrake 7.2 using rc.firewall. The strange thing is that when I scan the machine (nmap) I see the following port open. 31337/tcp filteredElite This is the @home cable service provider blocking those ports so that their vulnerable (ie: ignorant) customers don't get hacked into by the most common backdoors. They also block Netbus ports 12345 and 12346. This answer was given to me by Fyodor, nmap's creator. Thanks... Dan.
Re: [expert] quick security question.
One thing about nmap... depending on the scan type, it will show you a port number, protocol, it's state and then give a name for a common service that uses that port. It doesn't mean that the port is actually making use of that port. So, if nmap gets a response during it's scan from port 31337, then it will provide you with the above information and provide a name for some service that COULD use that port. It doesn't mean that it IS using that port. I did a scan of my local school network last year with nmap. On just about every windoze box it detected, it indicated port "31337/tcp open Backorifice". I notified the school IT guys and they looked into it and I also asked Fyoder (the maintainer/creator of nmap) about it. He indicates essentially what I said. If a port gives some sort of nmap-understandable reply, then nmap will identify the port and give you the name of a service that may use that port. If I have port 21 open on my system, even if I am NOT running an ftp server, and scan it with nmap, it will list "ftp" as the service associated with that port. In any case, it is EXTREMELY unlikely that someone would have hacked into your friend's system so soon after an install and setup. The attacker would first need reconnoiter the system and then, perhaps, run a few apps/scripts (a script kiddie activity) that exploit commonly known vulnerabilities. Once in, the kiddie then uploads some files, etc. This takes at least SOME time. What sort of connection does this system use? DHCP on DSL? Static IP on DSL? Phone? Connected via a LAN? On Wednesday 07 February 2001 10:08, dany allard you wrote: A friend of mine just setup his firewall with a striped down version of Mandrake 7.2 using rc.firewall. The strange thing is that when I scan the machine (nmap) I see the following port open. 31337/tcp filteredElite The only use I know for that port is for back doors. [...] -- Against stupidity, the gods themselves contend in vain.
Re: [expert] quick security question.
Praedor Thanks for the quick reply The machines is using @home (cable modem connection). I will get him to check the /var/log/security file on his machine. That should give us the name of the program that is using that port. I was more worried if that there was a security hole/breakin. Thanks Dany Allard Praedor Tempus wrote: One thing about nmap... depending on the scan type, it will show you a port number, protocol, it's state and then give a name for a common service that uses that port. It doesn't mean that the port is actually making use of that port. So, if nmap gets a response during it's scan from port 31337, then it will provide you with the above information and provide a name for some service that COULD use that port. It doesn't mean that it IS using that port. I did a scan of my local school network last year with nmap. On just about every windoze box it detected, it indicated port "31337/tcp open Backorifice". I notified the school IT guys and they looked into it and I also asked Fyoder (the maintainer/creator of nmap) about it. He indicates essentially what I said. If a port gives some sort of nmap-understandable reply, then nmap will identify the port and give you the name of a service that may use that port. If I have port 21 open on my system, even if I am NOT running an ftp server, and scan it with nmap, it will list "ftp" as the service associated with that port. In any case, it is EXTREMELY unlikely that someone would have hacked into your friend's system so soon after an install and setup. The attacker would first need reconnoiter the system and then, perhaps, run a few apps/scripts (a script kiddie activity) that exploit commonly known vulnerabilities. Once in, the kiddie then uploads some files, etc. This takes at least SOME time. What sort of connection does this system use? DHCP on DSL? Static IP on DSL? Phone? Connected via a LAN? On Wednesday 07 February 2001 10:08, dany allard you wrote: A friend of mine just setup his firewall with a striped down version of Mandrake 7.2 using rc.firewall. The strange thing is that when I scan the machine (nmap) I see the following port open. 31337/tcp filteredElite The only use I know for that port is for back doors. [...] -- Against stupidity, the gods themselves contend in vain.
Re: [expert] quick security question.
It is not any problem being sure. Having a cable modem connection does make you more vulnerable than, perhaps, using a DSL. Does he have a dynamic IP or static? How long WAS the system up before the firewall was built? Remember, you may not actually be running any service on that port, and your firewall is filtering the port, as indicated by nmap. Even if you are not running any service on a given port detected by nmap, nmap will simply provide a name of a service that commonly uses that port. That initially confused me when I first began using nmap. I thought if it said "Backorifice" on port 31337, that meant that Backorifice was installed and running on that port. That is not what it meant. It meant that port 31337 was often used by Backorifice. Having detected that port with nmap, I could then run a program (backorifice, for instance) and see if that port was listening and active. In the case where nmap showed all the windoze boxes with Backorifice on port 31337, not a one of them had it actually installed and running (it is more than just a hacker tool, it can be used as a remote administration tool like PCAnywhere, only it is free). It is merely a heads up/give you information kind of thing that nmap does. On Wednesday 07 February 2001 11:23, dany allard you wrote: Praedor Thanks for the quick reply The machines is using @home (cable modem connection). [...] -- Against stupidity, the gods themselves contend in vain.
Re: [expert] quick security question.
As far as I know, that port is "filtered". That is it is logged and monitored but it doesn't supposedly let you do anything. -- .--. ` |__| .---. Altoine Barker |=.| |.-.| Maximum Time, Inc |--| ||$SEND|| Chicago Based Enterprise | | |'-'| http://www.maximumtime.com |__|~')_('
Re: [expert] quick security question.
On Wednesday 07 February 2001 12:08 pm, dany allard wrote: 31337/tcp filteredElite The fact that nmap reported this port as filtered is also significant. From the nmap man page: 'Filtered means that a firewall, filter, or other network obstacle is covering the port and preventing nmap from determining whether the port is open.' This may then be a false positive. Check the output of netstat -a --inet (from a trusted binary if you are really worried) to see what processes have sockets open and listening to network ports. More than likely nmap received a specific kind of non-response when it hit this port that allowed it to identify a packet filter in place. -- Matthew Micene A host is a host from coast to coast, Systems Development Managerand no one will talk to a host too close Express Search Inc.Unless the host that isn't close www.ExpressSearch.com is busy, hung or dead
Re: [expert] quick security question.
Thanks to everyone that replied. It turns out that the port is closed. I ran strobe against the machine several times and it returned all ports closed. I tried to telnet to it, and could not connect. Looks like a false positive, and I (being way to paranoid) reacted too quickly. Thanks everyone Dany Allard Matthew Micene wrote: On Wednesday 07 February 2001 12:08 pm, dany allard wrote: 31337/tcp filteredElite The fact that nmap reported this port as filtered is also significant. From the nmap man page: 'Filtered means that a firewall, filter, or other network obstacle is covering the port and preventing nmap from determining whether the port is open.' This may then be a false positive. Check the output of netstat -a --inet (from a trusted binary if you are really worried) to see what processes have sockets open and listening to network ports. More than likely nmap received a specific kind of non-response when it hit this port that allowed it to identify a packet filter in place. -- Matthew Micene A host is a host from coast to coast, Systems Development Managerand no one will talk to a host too close Express Search Inc.Unless the host that isn't close www.ExpressSearch.com is busy, hung or dead