First off:
I'm assuming that you did your scan across the internet, and that you passed
a screening router on the way (maybe your OWN packet screening router?)
Comments inline...
Christoph Schneeberger wrote:
>
> Hi,
>
> I'm sorry if this is complete stupid but I can't explain what's going on.
>
> While scanning a customers public corporate website (on request) with nmap
> (2.3BETA6 and 2.02) I found the following open ports:
> Port State Protocol Service
> 21 open tcp ftp
> 25 open tcp smtp
> 80 open tcp http
> 135 open tcp loc-srv
> 139 open tcp netbios-ssn
> 443 open tcp https
> 465 open tcp smtps
> 1027 open tcp unknown
> 1030 open tcp iad1
> 12345 filtered tcp NetBus
^^^^^^^^^
Notice "filtered", that means that nmap is not getting ANY responses back from that port
(ie DROP rather than REJECT on a firewall ruleset).
This does NOT mean it is open, or that there's something running on the port
>
> and udp:
> Port State Protocol Service
> 135 open udp loc-srv
> 137 open udp netbios-ns
> 138 open udp netbios-dgm
> 31337 open udp BackOrifice
^^^^^
I'm betting this is a false positive actually... They are probably DROPping all packets
to 31337 in their firewall, that's why nmap thinks that the ports are open.
You detect "open" UDP ports by NOT getting an "ICMP_UNREACH" message when you send
data on it; this is exactly what happens if the packets get DROPped by the firewall.
> -Connected with telnet to port 12345 of that machine and expected a banner
> No luck (probably it has IP restrictions, a feature of netbus)
I'm betting the firewall had your packets for breakfast; they didn't even get
close to the actual server. Did you try this from the local net or did you do
it through the firewall/router?
> -Checking Registry and Disk for known malicious executables
> No luck
Maybe 'cause they're not there? :-)
> -Checking services and running process for unknown things
> Nothing strange or special (screenshot available)
> -Installing Norman Data Defense AntiVirus with latest definitions
> Nothing found
> -Removing Norman and installing the latest Norton Antivirus for NT with
> latest definitions
> Nothing found
> -Running netstat -an on the server in question
> The two ports 12345 tcp and 31337 udp where not shown, all other listening
> services were shown as expected.
Hummm.. I'm about to reach a conclusion :-)
> -installing Back Orificer Friendly from http://www.nfr.net/bof/ on the
> server (I hoped it would complain not being able to listen to 31337 udp)
> Started and did not complain
> -I then connected to the server with 'netcat -u 31337' and typed some
> random chars which should normally trigger bof to pop-up and notify the user
> Nothing happened, all other ports like i.e. pop3 triggered bof immediately
>
> So, am I missing a chapter or does this look like something really strange ?
> What next steps would one take now ?
Do your nmap scan from the same LAN that the server is on, compare the scans.
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 ÖRNSKÖLDSVIK
Phone: +46 (0)660 105 50 Fax: +46 (0)660 122 50
Mobile: +46 (0)70 248 00 33
WWW: http://www.enternet.se E-mail: mikael.olssonat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:44:58 PDT