On Mon, Dec 23, 2002 at 09:33:59PM -0800, alfaentomega wrote: > > I found out that by default nmap doesn't scan every > port (before that I thought every port is scanned > without explicite -p), so I ran "nmap -p1- localhost" > and every time I saw something betwen 0 and 3 (usually > there were 2) ports which were reported by nmap as > open, but during the scan there was "Strange read > error from 127.0.0.1 (104): Operation now in progress" > for every one of them. This may be a problem with your Linux kernel. When Nmap (or many other applications, such as Telnet) does a connect() call, the OS is supposed to choose a good souce port to bind to for the connection. When you connect() to a ephemeral port (1024-4999 or so) on localhost, there is a chance that the system will decide to use as a source port the very port you are connecting to. In a bizarre twist, the application then ends up "connecting to itself"! I consider this to be a Linux kernel bug, but my reports to the linux-kernel list (and offers to fix the problem) have been unheeded. Here is my first posting (from 1999): http://marc.theaimsgroup.com/?l=linux-kernel&m=93598368005241&w=2 So the short summary is that it is just a Linux bug which the developers argue is a feature that they don't intend to fix. I do have a workaround in place for Nmap versions released in the last two or three years -- what version of Nmap are you using and what are the exact command-line arguments? New versions of the Nmap Security Scanner can be found at http://www.insecure.org/nmap/ Cheers, Fyodor ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 27 2002 - 09:52:17 PST