Charles, Not only did he say that he ran lsof on the system (no MS os's come w/ lsof, nor is there a version of lsof available, unless you rename fport.exe to 'lsof'). Also, given the switches used w/ the netstat command, those aren't all available on MS systems. Finally, later on in the (admittedly long winded) post, the OP said that he'd installed Debian..."Now I have an up-to-date Debian 3.0 Woody stable release..." Hope this helps answer your question... --- Charles.Faschingat_private wrote: > What OS are you scanning? Is it running RPC > services or DCE services > (Microsoft's RPC - such as an exchange server)? > That can lead to the > type of behavior that you are seeing. > > Chuck ?Spence? Fasching > Systems Engineer > Milestone Systems, Inc. > charles.faschingat_private > 952.543.6999 xt 111 > > > -----Original Message----- > From: alfaentomega [mailto:alfaentomegaat_private] > Sent: Monday, December 23, 2002 11:34 PM > To: incidents > Subject: Random unprivileged TCP ports below 5000 > kind-of open for a > fraction of a second > > Hello All, it's my first post here. > > I have a strange problem, which I've never seen > before, and never even read about. I hope someone > will be able to help me, because my every try to > find > it out by myself failed. > > I scanned localhost TCP ports with nmap and I saw > that > there's a service listening which I should not have. > When I did it once again, it was gone. I did few > other > scans, and there was nothing more than it should be, > but I was already very suspicious. > > I found out that by default nmap doesn't scan every > port (before that I thought every port is scanned > without explicite -p), so I ran "nmap -p1- > localhost" > and every time I saw something betwen 0 and 3 > (usually > there were 2) ports which were reported by nmap as > open, but during the scan there was "Strange read > error from 127.0.0.1 (104): Operation now in > progress" > for every one of them. > > I wanted to check out what is opening those ports, > but > "netstat -tulp" or "lsof -i -n" never shows them (I > ran netstat and lsof with different options in long > loops many times, to make sure to see those ports, > even if they are open only for a fraction of a > second, > but I never saw anything). > > First I thought that it could be some strange nmap > bug, so I tried other scanning methods, like netcat > scan: "nc -vzw2 localhost 1-65535" > > Netcat shows normally open ports as "localhost > [127.0.0.1] 113 (auth) open" but these strange ports > are reported as, e.g. "localhost [127.0.0.1] 4546 > (?) > : Connection reset by peer" > > First I thought that they may be some ports, which > are > kind-of open, but they never finish TCP handshake, > but > they are detected only with basic nmap scan -sT, a > TCP > connect() scan, and never by any other kind of scan, > like -sS SYN half-open scan (if they never finish > the > handshake, then it would make more sense if -sS > detects them, while -sT thinks they're closed, not > the > other way around - but I may be wrong here). > > Here are other of my observations: > I ran nmap in a loop scanning TCP ports 1-10000 > every > time (first it scanned 1-65535 but higher ports were > never open), and for 1000 ports found, there was 875 > unique ones, with lowest 1036 and highest 4989, so > they look quite randomly distributed in this range. > > It doesn't matter if I scan 128.0.0.1 or my > temporary > dialup IP, also other people scanning me remotely > from > the Internet are finding those strange > not-quite-open > ports. > > So, this is pretty much everything I know. > > I was searching the Web and trying to get some help > on > IRC, but unfortunately no one knew what I was > talking > about. All I've found was Max Gribov's problem, > posted > here on Mar 26 2001, which seems to be the same as > what I have here: > http://lists.insecure.org/lists/incidents/2001/Mar/0256.html > > There was one answer telling "You are seeing your > own > port scan and a clear demonstration why nmap to a > localhost is not the best thing to do" which is not > correct, because those ports are visible also on > remote scans (and besides nmap looks for open > listening ports and scanning doesn't open any ports > for listening to incoming handshakes). > > Other answer was "I have seen times where certain > linux boxes running X windows will do that but > nothing > that frequent" but with no more info. Should I not > worry, because my box seems to be just a certain > Linux > box running X, or maybe those certain Linux boxes > had > some problems other than just running X on Linux? > > So, there actually was no meaningful answer to this > question. If anyone knows where to look for the > answer, please point me to any relevant text I > should > read. > > Of course I'll be glad if anyone posts some quick > method to fix it, however I'd rather RTFM and know > what's going on, because I'm getting a little bit > paranoid when I don't. > > Was my system compromised? Is there some stealth > backdoor listening on those random ports, which > would > open a normal TCP connection if only the source port > and IP match the right values? > > Something like "nc -lp 3333 127.0.0.1 3334" which > would drop the connection from anywhere alse than > 127.0.0.1:3334, but done in more fancy way, with a > direct control over TCP/IP stack and the actual > handshake? But if so, then why doesn't it look as a > normal closed port? And why half-open SYN scan shows > it as closed, unlike the full open TCP scan? > > Such a netcat listening as above, is normally > detected > as open port by half-open SYN, stealth FIN, Xmas > Tree, > and Null scans, while being detected as open and > being > closed by TCP connect() scan. Here what I observed > is > totally different, I only suspect that those port > could be possible to open from some attackers > IP:port, > but maybe I'm being too paranoid. > > Half a year ago ago, my outdated Debian Potato box > was > compromised. Since then, I've read quite a few books > and even more online texts about the systems and > network security, and started to be extremely > paranoid. > > Now I have an up-to-date Debian 3.0 Woody stable > release, with every security update and with no > unneeded services listening. Almost every software > is > installed from official Debian Woody packages, the > only thing I got in /usr/local is mplayer. > > A remote login is impossible (it's my personal > desktop > box with ppp dialup network connection, to which no > one has any access but me) and still I have long and > random passwords which crack and john are unable to > crack in weeks, having access to /etc/shadow. What > else can I do? I almost can hear Bruce Schneier > saying > "Nothing, you're screwed." But really, is having > updated Debian stable as a desktop system not being > paranoid enough? I'm starting to loose any hope. > > I really hope that someone will answer something > like > "oh, this is only a bug in your kernel/library/etc." > but I have a bad feeling. Sorry for writing such a > long post, but I wanted to write everything I found > out myself about the problem, so you wouldn't have > to > waste your time asking about things which I should > write in the first place and without which you're > unable to answer my questions. > > Thanks a lot. > > By the way, it's a really great list, I often find > many things I need in the archives of this one and > other SecurityFocus mailing lists. Thanks. > > Marry Xmas and Happy new Year! > > -Alfaentomega. > > > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up > now. > http://mailplus.yahoo.com > > ------------------------------------------------------------------------ > ---- > This list is provided by the SecurityFocus ARIS > analyzer service. > For more information on this free incident handling, > management > and tracking system please see: > http://aris.securityfocus.com > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS > analyzer service. > For more information on this free incident handling, > management > and tracking system please see: > http://aris.securityfocus.com > __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 27 2002 - 15:43:13 PST