RE: nmap reveals trinoo_master on router
- From: "Maxime Ducharme" <mducharme@xxxxxxxxxxxxxxxxxxx>
- Date: Mon, 23 Oct 2006 10:58:48 -0400
Hello
nmap command structure (usually called documentation)
can be found here :
http://insecure.org/nmap/man/
I am not sure to understand the second question
filtering can be done upwards, i.e. the ISP filters
outgoing TCP 27765 to prevent Trinoo from spreading
filtering can also be done by your gateway's ISP
downwards, i.e. any incoming Trinoo packet is dropped
this is not the same ISP so not the same routers and
not the same configuration
hping can help to find which router actually filters this
port with something like this :
hping2 --destport 27765 --syn --traceroute --tr-stop 1.2.3.4
where 1.2.3.4 is the cisco's IP
HTH
have a nice day
Maxime
-----Message d'origine-----
De : Faheem SIDDIQUI [mailto:fahimdxb@xxxxxxxxx]
Envoyé : 20 octobre, 2006 22:20
À : Maxime Ducharme
Cc : incidents@xxxxxxxxxxxxxxxxx
Objet : Re: nmap reveals trinoo_master on router
Thanks Maxime
Seems like this is the most probable cause as I have done portscans on
machines internally and that hasn't revealed anything. While we are at
it, I tried to find the nmap command line structure to only check for
this port (27765) on my internal IP address range, but couldn't quite
hit it so did full scans. What would be the nmap command structure (for
future sake!)
One mystery still exists. Yes! We have one sole ISP in the region and
chances are that when I do this nmap from my home across to my target
gateway, a lot of ISPs routers would fall thru the route and they might
have been configured to drop this port but then, another router I know
of , when I run nmap on it's serial, doesn't show this port
Trinoo_Master in filtered state. For sure it's the same ISP's routers my
second nmap also passes through and if it's ISP configuration, nmap to
every router in the region should display this port..Correct?
Maxime Ducharme wrote:
Some router between the scanner and the server drops packetsthis
adresses to these ports, thats why you see them as filtered
It is common pratices for ISPs since these ports arent used
by common net users
I cannot tell if you system is compromised or not,
but this scan reveals nothing abnormal
HTH
Maxime Ducharme
-----Message d'origine-----
De : listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] De
la part de fahimdxb@xxxxxxxxx
Envoyé : 18 octobre, 2006 07:36
À : incidents@xxxxxxxxxxxxxxxxx
Objet : nmap reveals trinoo_master on router
On my Cisco Router, I do a nmap scan from outside on the Internet. The
result is:
" Interesting ports on *.*.50.1:
Not shown: 1676 closed ports
PORT STATE SERVICE
23/tcp filtered telnet
135/tcp filtered msrpc
1524/tcp filtered ingreslock
27665/tcp filtered Trinoo_Master
I am worried about the last two entries. The last nmap was done in Feb
year and I have confirmed that the two port entries (tcp 1524/27665) didnot
exist then.case
Though the port state "filtered" is a solace but I am still concerned. How
can I be sure that the system has not been compromised?
Also the current IOS Version of my Router 2811 is 12.4. It was the same
with open ports when I was using older Router Series 1700 v 12.2, so Iv
thought maybe, it's an IOS issue and I upgraded my Router to 2811 with IOS
12.4 yesterday. But as soon as I plugged it into the circuit and did astate
re-scan, I realised the nmap again gives the trinoo_master entry with
as filtered.configuration
Where could lie the problem. Is it with my firewall (PIX 515)
behind the router?http://www.cisco.com/en/US/partner/tech/tk59/technologies_white_paper09186a0
Please Advise!!
I have seen Cisco's tech doc that exists here:
080174a5b.shtml----------------------------------------------------------------------------
One of the solutions suggested therein is to implement "ip verify unicast
reverse-path" on the serial interface, but am not sure what will it serve?
Also, I suspect that I had other problems when I gave this command so I
reversed it.
"sh process cpu" only shows cpu utilisation of about 5-6%.
Please advise!!
--nations.
This List Sponsored by: Black Hat
Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las
Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of
your
security environment. Featuring 36 hands-on training courses and 10
conference
tracks, networking opportunities with over 2,500 delegates from 40+
----------------------------------------------------------------------------
http://www.blackhat.com
--
------------------------------------------------------------------------------
This List Sponsored by: Black Hat
Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.
http://www.blackhat.com
------------------------------------------------------------------------------
- Prev by Date: Re: nmap reveals trinoo_master on router
- Next by Date: Malware/trojan attacks
- Previous by thread: RE: nmap reveals trinoo_master on router
- Next by thread: Malware/trojan attacks
- Index(es):
Relevant Pages
|
