--- Pavel Kankovsky <peakat_private> wrote: > On Mon, 23 Dec 2002, alfaentomega wrote: > > Hypothesis: one of the services listening on your machine opens a > short-lived listening sockets on an automatically assigned port (ie. > in 1024-5000 range) when it accepts a connection. This would explain > why SYN scan does not trigger it but connect() scan does. > > Try this: > for each port p in 1-1023 > perform a connect() scan of p and 1024-5000 > > Only a small set of p, perhaps a single value of p--the hypothetic > offending service (see above)--should make the mysterious listening > port appear. Actually, when I figured out that those ports are always above 1024 and below 5000, as I've said in my post, I started scanning only this range, and every time the results were similar. And the only service listening on my host is nullidentd. But now I know what I was observing, see Fyodor's answer: <20021224191816.GA10153at_private> Thanks. -Alfaentomega. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 27 2002 - 09:51:58 PST