Very strange nmap scan results

From: Juan B <juanbabi@xxxxxxxxx>
Date: Fri, 21 Sep 2007 08:16:43 -0700 (PDT)

Hi all,

For a client in scaning his Dmz from the internet.

I know the servers are behind a pix 515 without any
add security features ( they dont have any ips or
the
didnt enabled the ips feature of the pix). they also

dont have any honeypot etc..

the strange is that two I receive too many open
ports!
for example I scan the mail relay and although just
port 25 is open it report lots of more open ports!
this is the nmap scan I issued:

nmap -sT -vv -P0 -O -p1-1024 200.61.44.48/28 -oA
cpsa.txt

( I changed the ip's here...)

and the result for the mail relay for example are:

nteresting ports on mail.cpsa.com (200.61.44.50):
PORT STATE SERVICE
1/tcp open tcpmux
2/tcp open compressnet
3/tcp open compressnet
4/tcp open unknown
5/tcp open rje
6/tcp open unknown
7/tcp open echo
8/tcp filtered unknown
9/tcp open discard
10/tcp open unknown
11/tcp open systat
12/tcp open unknown
13/tcp open daytime
14/tcp open unknown
15/tcp open netstat
16/tcp open unknown
17/tcp open qotd
18/tcp filtered msp
19/tcp open chargen
20/tcp open ftp-data
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
24/tcp open priv-mail
25/tcp open smtp
26/tcp open unknown
27/tcp open nsw-fe
28/tcp open unknown
29/tcp open msg-icp
30/tcp open unknown
31/tcp open msg-auth
32/tcp open unknown
33/tcp open dsp
34/tcp open unknown

this continues up to port 1024..

any ideas how to eliminate so many false positives?

thanks a lot,

Juan

____________________________________________________________________________________

Catch up on fall's hot new shows on Yahoo! TV. Watch
previews, get listings, and more!
http://tv.yahoo.com/collections/3658

____________________________________________________________________________________
Don't let your dream ride pass you by. Make it a reality with Yahoo! Autos.
http://autos.yahoo.com/index.html

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Follow-Ups:
- RE: Very strange nmap scan results
  - From: Rodrigo Dutra Salvalagio
- Re: Very strange nmap scan results
  - From: Hans-J. Ullrich

Prev by Date: HITBSecConf2007 - Malaysia Materials & Photos are up !
Next by Date: Re: R: WifiZoo v1.1
Previous by thread: HITBSecConf2007 - Malaysia Materials & Photos are up !
Next by thread: Re: Very strange nmap scan results
Index(es):
- Date
- Thread

Relevant Pages

Very strange nmap scan results
... I know the servers are behind a pix 515 without any ... add security features (they dont have any ips or the ... the strange is that two I receive too many open ports! ... 4/tcp open unknown ...
(Security-Basics)
Re: Very strange nmap scan results
... Perhaps a different kind of scan will filter those out? ... port 25 is open it report lots of more open ports! ... 4/tcp open unknown ... buy it or download a solution FREE today! ...
(Pen-Test)
Re: Very strange nmap scan results
... I know the servers are behind a pix 515 without any ... port 25 is open it report lots of more open ports! ... 4/tcp open unknown ... Cenzic finds more, "real" vulnerabilities fast. ...
(Pen-Test)
Re: [Full-disclosure] Very strange nmap scan results
... the strange is that two I receive too many open ports! ... open rje 6/tcp open unknown 7/tcp open echo 8/tcp ... filtered unknown 9/tcp open discard 10/tcp open ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ...
(Full-Disclosure)
RE: Very strange nmap scan results
... This Pix will do that... ... You can reduce this false positive using -sV, this tell nmap to get ... port 25 is open it report lots of more open ports! ... 4/tcp open unknown ...
(Pen-Test)