What OS are you scanning? Is it running RPC services or DCE services (Microsoft's RPC - such as an exchange server)? That can lead to the type of behavior that you are seeing. Chuck “Spence” Fasching Systems Engineer Milestone Systems, Inc. charles.faschingat_private 952.543.6999 xt 111 -----Original Message----- From: alfaentomega [mailto:alfaentomegaat_private] Sent: Monday, December 23, 2002 11:34 PM To: incidents Subject: Random unprivileged TCP ports below 5000 kind-of open for a fraction of a second Hello All, it's my first post here. I have a strange problem, which I've never seen before, and never even read about. I hope someone will be able to help me, because my every try to find it out by myself failed. I scanned localhost TCP ports with nmap and I saw that there's a service listening which I should not have. When I did it once again, it was gone. I did few other scans, and there was nothing more than it should be, but I was already very suspicious. I found out that by default nmap doesn't scan every port (before that I thought every port is scanned without explicite -p), so I ran "nmap -p1- localhost" and every time I saw something betwen 0 and 3 (usually there were 2) ports which were reported by nmap as open, but during the scan there was "Strange read error from 127.0.0.1 (104): Operation now in progress" for every one of them. I wanted to check out what is opening those ports, but "netstat -tulp" or "lsof -i -n" never shows them (I ran netstat and lsof with different options in long loops many times, to make sure to see those ports, even if they are open only for a fraction of a second, but I never saw anything). First I thought that it could be some strange nmap bug, so I tried other scanning methods, like netcat scan: "nc -vzw2 localhost 1-65535" Netcat shows normally open ports as "localhost [127.0.0.1] 113 (auth) open" but these strange ports are reported as, e.g. "localhost [127.0.0.1] 4546 (?) : Connection reset by peer" First I thought that they may be some ports, which are kind-of open, but they never finish TCP handshake, but they are detected only with basic nmap scan -sT, a TCP connect() scan, and never by any other kind of scan, like -sS SYN half-open scan (if they never finish the handshake, then it would make more sense if -sS detects them, while -sT thinks they're closed, not the other way around - but I may be wrong here). Here are other of my observations: I ran nmap in a loop scanning TCP ports 1-10000 every time (first it scanned 1-65535 but higher ports were never open), and for 1000 ports found, there was 875 unique ones, with lowest 1036 and highest 4989, so they look quite randomly distributed in this range. It doesn't matter if I scan 128.0.0.1 or my temporary dialup IP, also other people scanning me remotely from the Internet are finding those strange not-quite-open ports. So, this is pretty much everything I know. I was searching the Web and trying to get some help on IRC, but unfortunately no one knew what I was talking about. All I've found was Max Gribov's problem, posted here on Mar 26 2001, which seems to be the same as what I have here: http://lists.insecure.org/lists/incidents/2001/Mar/0256.html There was one answer telling "You are seeing your own port scan and a clear demonstration why nmap to a localhost is not the best thing to do" which is not correct, because those ports are visible also on remote scans (and besides nmap looks for open listening ports and scanning doesn't open any ports for listening to incoming handshakes). Other answer was "I have seen times where certain linux boxes running X windows will do that but nothing that frequent" but with no more info. Should I not worry, because my box seems to be just a certain Linux box running X, or maybe those certain Linux boxes had some problems other than just running X on Linux? So, there actually was no meaningful answer to this question. If anyone knows where to look for the answer, please point me to any relevant text I should read. Of course I'll be glad if anyone posts some quick method to fix it, however I'd rather RTFM and know what's going on, because I'm getting a little bit paranoid when I don't. Was my system compromised? Is there some stealth backdoor listening on those random ports, which would open a normal TCP connection if only the source port and IP match the right values? Something like "nc -lp 3333 127.0.0.1 3334" which would drop the connection from anywhere alse than 127.0.0.1:3334, but done in more fancy way, with a direct control over TCP/IP stack and the actual handshake? But if so, then why doesn't it look as a normal closed port? And why half-open SYN scan shows it as closed, unlike the full open TCP scan? Such a netcat listening as above, is normally detected as open port by half-open SYN, stealth FIN, Xmas Tree, and Null scans, while being detected as open and being closed by TCP connect() scan. Here what I observed is totally different, I only suspect that those port could be possible to open from some attackers IP:port, but maybe I'm being too paranoid. Half a year ago ago, my outdated Debian Potato box was compromised. Since then, I've read quite a few books and even more online texts about the systems and network security, and started to be extremely paranoid. Now I have an up-to-date Debian 3.0 Woody stable release, with every security update and with no unneeded services listening. Almost every software is installed from official Debian Woody packages, the only thing I got in /usr/local is mplayer. A remote login is impossible (it's my personal desktop box with ppp dialup network connection, to which no one has any access but me) and still I have long and random passwords which crack and john are unable to crack in weeks, having access to /etc/shadow. What else can I do? I almost can hear Bruce Schneier saying "Nothing, you're screwed." But really, is having updated Debian stable as a desktop system not being paranoid enough? I'm starting to loose any hope. I really hope that someone will answer something like "oh, this is only a bug in your kernel/library/etc." but I have a bad feeling. Sorry for writing such a long post, but I wanted to write everything I found out myself about the problem, so you wouldn't have to waste your time asking about things which I should write in the first place and without which you're unable to answer my questions. Thanks a lot. By the way, it's a really great list, I often find many things I need in the archives of this one and other SecurityFocus mailing lists. Thanks. Marry Xmas and Happy new Year! -Alfaentomega. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 27 2002 - 09:51:29 PST