Morten Bo Johansen <[EMAIL PROTECTED]> wrote: > > > Running nmap on the localhost produces among others this line > > > of output: > > > > > > 8081/tcp open blackice-icecap > > > > > > lsof shows that wwwoffled is behind this service
> > > What is blackice-icecap..? > > > > It's probably one of the hundreds of possible trojan horses. For a long > > list, visit http://www.nethog.com/feeds/niteryder/trojans.htm (although > > this one isn't listed). It just means that someone somewhere has once > > found a trojan program listening on port 8081. It doesn't mean that > > having port 8081 accepting incoming connections is by definition > > dangerous; in this case you and I know that it's wwwoffled, and not > > blackice-icecap, so ignore it. > > I am not quite sure that I still understand why nmap gets it > wrong. I would imagine that nmap is getting it wrong because the file /etc/services contains a line that specifies that blackice-icecap uses port 8081. As far as I know nmap doesn't detect the program that is listening to the port, it just lists the ports that it finds. I also find it more likely that blackice-icecap is a security monitoring program than a trojan. See http://www.networkice.com/ or http://www.networkice.com/products/icecap_manager.html for more information. A simple search with Google finds these pages. While on the subject of security scanners, it is interesting to note that if you use Nessus to scan a machine running WWWOFFLE it will detect the HTTP proxy on port 8080. It will also say that it is a web server (which it is) and that it allows arbitrary files to be retrieved using relative paths (which it doesn't). So the moral of the story is that scanners like these are good, if you know how to interpret the results, but they are not perfect. -- Andrew. ---------------------------------------------------------------------- Andrew M. Bishop [EMAIL PROTECTED] http://www.gedanken.demon.co.uk/ WWWOFFLE users page: http://www.gedanken.demon.co.uk/wwwoffle/version-2.6/user.html
