Re: [Full-disclosure] Very strange nmap scan results

From: scott <redhowlingwolves@xxxxxxxxxxxxx>
Date: Fri, 21 Sep 2007 01:08:13 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Did this particular person,or persons know what you were going to do?

Looks like a honeypot,to me.

Been wrong before,won't be the last.I hope,for the sake of whomever
you are auditing,that this is the case.

Cheers, Redwolfs always

Juan B wrote:

Hi all,

For a client in scaning his Dmz from the internet.

I know the servers are behind a pix 515 without any add security
features ( they dont have any ips or the didnt enabled the ips
feature of the pix).

the strange is that two I receive too many open ports! for example
I scan the mail relay and although just port 25 is open it report
lots of more open ports! this is the nmap scan I issued:

nmap -sT -vv -P0 -O -p1-1024 200.61.44.48/28 -oA cpsa.txt

( I changed the ip's here...)

and the result for the mail relay for example are:

nteresting ports on mail.cpsa.com (200.61.44.50): PORT STATE
SERVICE 1/tcp open tcpmux 2/tcp open compressnet
3/tcp open compressnet 4/tcp open unknown 5/tcp
open rje 6/tcp open unknown 7/tcp open echo 8/tcp
filtered unknown 9/tcp open discard 10/tcp open
unknown 11/tcp open systat 12/tcp open unknown 13/tcp
open daytime 14/tcp open unknown 15/tcp open
netstat 16/tcp open unknown 17/tcp open qotd 18/tcp
filtered msp 19/tcp open chargen 20/tcp open ftp-data
21/tcp open ftp 22/tcp open ssh 23/tcp open
telnet 24/tcp open priv-mail 25/tcp open smtp 26/tcp
open unknown 27/tcp open nsw-fe 28/tcp open unknown
29/tcp open msg-icp 30/tcp open unknown 31/tcp open
msg-auth 32/tcp open unknown 33/tcp open dsp 34/tcp
open unknown

this continues up to port 1024..

any ideas how to eliminate so many false positives?

thanks a lot,

Juan

____________________________________________________________________________________
Catch up on fall's hot new shows on Yahoo! TV. Watch previews, get
listings, and more! http://tv.yahoo.com/collections/3658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFG81G8srt057ENXO4RAkAoAJ9QAmp65M7nICyOvK0IBDb5ZGgdvwCg2iqL
0AffiGeALD+T9XlXXblycek=
=Drx9
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Very strange nmap scan results
  - From: Jeffrey Denton
- Re: [Full-disclosure] Very strange nmap scan results
  - From: J.M. Seitz

Prev by Date: Re: [Full-disclosure] 0day: PDF pwns Windows
Next by Date: Re: [Full-disclosure] 0day: PDF pwns Windows
Previous by thread: [Full-disclosure] A Request To Everyone
Next by thread: Re: [Full-disclosure] Very strange nmap scan results
Index(es):
- Date
- Thread

Relevant Pages

Re: Very strange nmap scan results
... Perhaps a different kind of scan will filter those out? ... port 25 is open it report lots of more open ports! ... 4/tcp open unknown ... buy it or download a solution FREE today! ...
(Pen-Test)
Re: Very strange nmap scan results
... I know the servers are behind a pix 515 without any ... port 25 is open it report lots of more open ports! ... 4/tcp open unknown ... Cenzic finds more, "real" vulnerabilities fast. ...
(Pen-Test)
RE: Very strange nmap scan results
... This Pix will do that... ... You can reduce this false positive using -sV, this tell nmap to get ... port 25 is open it report lots of more open ports! ... 4/tcp open unknown ...
(Pen-Test)
RE: Strange set of TCP ports
... turn on sharing in the iTunes ... Strange set of TCP ports ... 3687/tcp open unknown ...
(Incidents)