subject:"Re\: \[expert\] quick security question."

Re: [expert] quick security question.

2001-02-11 Thread Daniel Woods


 
  A friend of mine just setup his firewall with a striped down version of
 Mandrake 7.2 using rc.firewall.
 
   The strange thing is that when I scan the machine (nmap) I see the
 following port open.
 
 31337/tcp  filteredElite

This is the @home cable service provider blocking those ports so
that their vulnerable (ie: ignorant) customers don't get hacked into
by the most common backdoors.

They also block Netbus ports 12345 and 12346.

This answer was given to me by Fyodor, nmap's creator.

Thanks... Dan.

Re: [expert] quick security question.

2001-02-07 Thread Praedor Tempus


One thing about nmap... depending on the scan type, it will show you a port 
number, protocol, it's state and then give a name for a common service that 
uses that port.  It doesn't mean that the port is actually making use of that 
port. 

So, if nmap gets a response during it's scan from port 31337, then it will 
provide you with the above information and provide a name for some service 
that COULD use that port.  It doesn't mean that it IS using that port.

I did a scan of my local school network last year with nmap.  On just about 
every windoze box it detected, it indicated port "31337/tcp open 
Backorifice".  I notified the school IT guys and they looked into it and I 
also asked Fyoder (the maintainer/creator of nmap) about it.  He indicates 
essentially what I said.  If a port gives some sort of nmap-understandable 
reply, then nmap will identify the port and give you the name of a service 
that may use that port.

If I have port 21 open on my system, even if I am NOT running an ftp server, 
and scan it with nmap, it will list "ftp" as the service associated with that 
port.

In any case, it is EXTREMELY unlikely that someone would have hacked into 
your friend's system so soon after an install and setup.  The attacker would 
first need reconnoiter the system and then, perhaps, run a few apps/scripts 
(a script kiddie activity) that exploit commonly known vulnerabilities.  Once 
in, the kiddie then uploads some files, etc.  This takes at least SOME time.  

What sort of connection does this system use?  DHCP on DSL?  Static IP on 
DSL? Phone?  Connected via a LAN?  

On Wednesday 07 February 2001 10:08, dany allard you wrote:
  A friend of mine just setup his firewall with a striped down version of
 Mandrake 7.2 using rc.firewall.

   The strange thing is that when I scan the machine (nmap) I see the
 following port open.

 31337/tcp  filteredElite

  The only use I know for that port is for back doors.
[...]

-- 
Against stupidity, the gods themselves contend in vain.

Re: [expert] quick security question.

2001-02-07 Thread dany allard


Praedor

Thanks for the quick reply

The machines is using @home (cable modem connection).

 I will get him to check the /var/log/security file on his machine.
That should give us the name of the program that is using that port.
I was more worried if that there was a security hole/breakin.

  Thanks

 Dany Allard

Praedor Tempus wrote:

 One thing about nmap... depending on the scan type, it will show you a port
 number, protocol, it's state and then give a name for a common service that
 uses that port.  It doesn't mean that the port is actually making use of that
 port.

 So, if nmap gets a response during it's scan from port 31337, then it will
 provide you with the above information and provide a name for some service
 that COULD use that port.  It doesn't mean that it IS using that port.

 I did a scan of my local school network last year with nmap.  On just about
 every windoze box it detected, it indicated port "31337/tcp open
 Backorifice".  I notified the school IT guys and they looked into it and I
 also asked Fyoder (the maintainer/creator of nmap) about it.  He indicates
 essentially what I said.  If a port gives some sort of nmap-understandable
 reply, then nmap will identify the port and give you the name of a service
 that may use that port.

 If I have port 21 open on my system, even if I am NOT running an ftp server,
 and scan it with nmap, it will list "ftp" as the service associated with that
 port.

 In any case, it is EXTREMELY unlikely that someone would have hacked into
 your friend's system so soon after an install and setup.  The attacker would
 first need reconnoiter the system and then, perhaps, run a few apps/scripts
 (a script kiddie activity) that exploit commonly known vulnerabilities.  Once
 in, the kiddie then uploads some files, etc.  This takes at least SOME time.

 What sort of connection does this system use?  DHCP on DSL?  Static IP on
 DSL? Phone?  Connected via a LAN?

 On Wednesday 07 February 2001 10:08, dany allard you wrote:
   A friend of mine just setup his firewall with a striped down version of
  Mandrake 7.2 using rc.firewall.
 
The strange thing is that when I scan the machine (nmap) I see the
  following port open.
 
  31337/tcp  filteredElite
 
   The only use I know for that port is for back doors.
 [...]

 --
 Against stupidity, the gods themselves contend in vain.

Re: [expert] quick security question.

2001-02-07 Thread Praedor Tempus


It is not any problem being sure.  Having a cable modem connection does make 
you more vulnerable than, perhaps, using a DSL.  Does he have a dynamic IP or 
static?

How long WAS the system up before the firewall was built?

Remember, you may not actually be running any service on that port, and your 
firewall is filtering the port, as indicated by nmap.  Even if you are not 
running any service on a given port detected by nmap, nmap will simply 
provide a name of a service that commonly uses that port.  That initially 
confused me when I first began using nmap.  I thought if it said 
"Backorifice" on port 31337, that meant that Backorifice was installed and 
running on that port.  That is not what it meant.  It meant that port 31337 
was often used by Backorifice.  

Having detected that port with nmap, I could then run a program (backorifice, 
for instance) and see if that port was listening and active.  In the case 
where nmap showed all the windoze boxes with Backorifice on port 31337, not a 
one of them had it actually installed and running (it is more than just a 
hacker tool, it can be used as a remote administration tool like PCAnywhere, 
only it is free).  It is merely a heads up/give you information kind of thing 
that nmap does.  

On Wednesday 07 February 2001 11:23, dany allard you wrote:
 Praedor

 Thanks for the quick reply

 The machines is using @home (cable modem connection).
[...]
-- 
Against stupidity, the gods themselves contend in vain.

Re: [expert] quick security question.

2001-02-07 Thread Altoine B.


As far as I know, that port is "filtered". That is it is logged and
monitored but it doesn't supposedly let you do anything.
-- 


  
  .--. `   
  |__| .---.   Altoine Barker
  |=.| |.-.|   Maximum Time, Inc
  |--| ||$SEND||   Chicago Based Enterprise
  |  | |'-'|   http://www.maximumtime.com   
  |__|~')_('

Re: [expert] quick security question.

2001-02-07 Thread Matthew Micene


On Wednesday 07 February 2001 12:08 pm, dany allard wrote:
 31337/tcp  filteredElite

The fact that nmap reported this port as filtered is also significant.   
From the nmap man page:
'Filtered means that a firewall, filter, or other network obstacle is  
   
covering the port and preventing nmap from determining whether the port
 
is open.'
This may then be a false positive.  Check the output of netstat -a --inet 
(from a trusted binary if you are really worried) to see what processes 
have sockets open and listening to network ports.

More than likely nmap received a specific kind of non-response when it hit 
this port that allowed it to identify a packet filter in place.  

-- 
Matthew Micene A host is a host from coast to coast,
Systems Development Managerand no one will talk to a host too close
Express Search Inc.Unless the host that isn't close 
www.ExpressSearch.com  is busy, hung or dead

Re: [expert] quick security question.

2001-02-07 Thread dany allard


Thanks to everyone that replied.

   It turns out that the port is closed.
I ran strobe against the machine several times and it returned all ports closed.
I tried to telnet to it, and could not connect.

  Looks like a false positive, and I (being way to paranoid) reacted too quickly.

  Thanks everyone

  Dany Allard

Matthew Micene wrote:

 On Wednesday 07 February 2001 12:08 pm, dany allard wrote:
  31337/tcp  filteredElite

 The fact that nmap reported this port as filtered is also significant.
 From the nmap man page:
 'Filtered means that a firewall, filter, or other network obstacle is
 covering the port and preventing nmap from determining whether the port
 is open.'
 This may then be a false positive.  Check the output of netstat -a --inet
 (from a trusted binary if you are really worried) to see what processes
 have sockets open and listening to network ports.

 More than likely nmap received a specific kind of non-response when it hit
 this port that allowed it to identify a packet filter in place.

 --
 Matthew Micene A host is a host from coast to coast,
 Systems Development Managerand no one will talk to a host too close
 Express Search Inc.Unless the host that isn't close
 www.ExpressSearch.com  is busy, hung or dead

Re: [expert] quick security question.

Re: [expert] quick security question.

Re: [expert] quick security question.

Re: [expert] quick security question.

Re: [expert] quick security question.

Re: [expert] quick security question.

Re: [expert] quick security question.

7 matches

Site Navigation

Mail list logo

Footer information