Strange open ports on windows machines

From: Christoph Schneeberger (cschneeat_private)
Date: Thu Oct 21 1999 - 12:33:43 PDT

Next message: Eric Toll: "FW: Intrusion Detection Systems: What you Should Know"

Previous message: Adam Shostack: "Re: The Common Vulnerabilities and Exposures taxonomy"
Next in thread: Michael H. Warfield: "Re: Strange open ports on windows machines"
Reply: Michael H. Warfield: "Re: Strange open ports on windows machines"
Reply: Christoph Schneeberger: "RE: Strange open ports on windows machines"
Reply: Matt Carothers: "Re: Strange open ports on windows machines"
Reply: Thomas Lopatic: "Re: Strange open ports on windows machines"
Reply: Russ: "RE: Strange open ports on windows machines"
Reply: Mikael Olsson: "Re: Strange open ports on windows machines"
Reply: Russ: "RE: Strange open ports on windows machines"
Reply: Michael H. Warfield: "Re: Strange open ports on windows machines"
Reply: Kaptain: "Re: Strange open ports on windows machines"
Reply: Randy Witlicki: "Re: Strange open ports on windows machines"
Reply: Bill Stout: "RE: Strange open ports on windows machines"
Reply: La Cholter, William J.: "RE: Strange open ports on windows machines"
Reply: Steve McQuade: "RE: Strange open ports on windows machines"
Reply: Ben Nagy: "RE: Strange open ports on windows machines"
Reply: David LeBlanc: "Re: Strange open ports on windows machines"
Reply: Lance Spitzner: "RE: Strange open ports on windows machines"
Reply: Arnd Vehling: "Re: Strange open ports on windows machines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I'm sorry if this is complete stupid but I can't explain what's going on.

While scanning a customers public corporate website (on request) with nmap
(2.3BETA6 and 2.02) I found the following open ports:
Port    State       Protocol  Service
21      open        tcp       ftp                     
25      open        tcp       smtp                    
80      open        tcp       http                    
135     open        tcp       loc-srv                 
139     open        tcp       netbios-ssn             
443     open        tcp       https                   
465     open        tcp       smtps                   
1027    open        tcp       unknown                 
1030    open        tcp       iad1                    
12345   filtered    tcp       NetBus   

and udp:
Port    State       Protocol  Service
135     open        udp       loc-srv                 
137     open        udp       netbios-ns              
138     open        udp       netbios-dgm             
31337   open        udp       BackOrifice  

Nothing special yet, netbus and bo happen to be on many pc's ;-)
The server is nt4 sp4 german with IIS 4 installed.

I then went with the customer through the following procedures:

-Connected with telnet to port 12345 of that machine and expected a banner
	No luck (probably it has IP restrictions, a feature of netbus)
-Checking Registry and Disk for known malicious executables
	No luck
-Checking services and running process for unknown things
	Nothing strange or special (screenshot available)
-Installing Norman Data Defense AntiVirus with latest definitions
	Nothing found
-Removing Norman and installing the latest Norton Antivirus for NT with
latest definitions
	Nothing found
-Running netstat -an on the server in question
	The two ports 12345 tcp and 31337 udp where not shown, all other listening
services were shown as expected.
-installing Back Orificer Friendly from http://www.nfr.net/bof/ on the
server (I hoped it would complain not being able to listen to 31337 udp)
	Started and did not complain
-I then connected to the server with 'netcat -u 31337' and typed some
random chars which should normally trigger bof to pop-up and notify the user
	Nothing happened, all other ports like i.e. pop3 triggered bof immediately

So, am I missing a chapter or does this look like something really strange ? 
What next steps would one take now ?

I really appreciate any help or hint.

Cheers,
Christoph Schneeberger
SCS Telemedia

Next message: Eric Toll: "FW: Intrusion Detection Systems: What you Should Know"
Previous message: Adam Shostack: "Re: The Common Vulnerabilities and Exposures taxonomy"
Next in thread: Michael H. Warfield: "Re: Strange open ports on windows machines"
Reply: Michael H. Warfield: "Re: Strange open ports on windows machines"
Reply: Christoph Schneeberger: "RE: Strange open ports on windows machines"
Reply: Matt Carothers: "Re: Strange open ports on windows machines"
Reply: Thomas Lopatic: "Re: Strange open ports on windows machines"
Reply: Russ: "RE: Strange open ports on windows machines"
Reply: Mikael Olsson: "Re: Strange open ports on windows machines"
Reply: Russ: "RE: Strange open ports on windows machines"
Reply: Michael H. Warfield: "Re: Strange open ports on windows machines"
Reply: Kaptain: "Re: Strange open ports on windows machines"
Reply: Randy Witlicki: "Re: Strange open ports on windows machines"
Reply: Bill Stout: "RE: Strange open ports on windows machines"
Reply: La Cholter, William J.: "RE: Strange open ports on windows machines"
Reply: Steve McQuade: "RE: Strange open ports on windows machines"
Reply: Ben Nagy: "RE: Strange open ports on windows machines"
Reply: David LeBlanc: "Re: Strange open ports on windows machines"
Reply: Lance Spitzner: "RE: Strange open ports on windows machines"
Reply: Arnd Vehling: "Re: Strange open ports on windows machines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:39 PDT