RE: Xmas and null scans

From: Jeremie Werner (medgi@evc.net)
Date: 11/23/01


From: Jeremie Werner <medgi@evc.net>
To: security-basics@securityfocus.com
Subject: RE: Xmas and null scans
Date: Fri, 23 Nov 2001 17:12:40 +0100
Message-Id: <01112317124000.00985@gaia>

Hello,

I'm not sure I have clearly understand all the questions, but this may help
you (I hope :).

The ports that are marked as open are ports from your box, so the only port
that could be open are services you are running on your box. It may be httpd,
or even X server ...

To detect the scan, you can use a NIDS (like snort), or even a specific
program that detect portscan (Like scanlogd from openwall.com). To block
portscan you should install a firewall, to filter the incoming packet.

In order to understand the way of portscanning, you should read the paper
from Fyodor published in Phrack 51 (phrack.org) and called 'The art of port
scanning'.

For more help, just try google.com :)

Have fun ...

>Hello everyone.
>I'm running FreeBSD 4.4 and i was doing a port scan of my self (from a
>remote
>box that i have legal access to) and i was getting a log of open ports from
>nmap -sN and nmap -sX. I was wondering why i was getting all of these "open
>ports"
>and does any one know how to stop these scans from getting though?
>and how do these scans work?

>Thanks
>Craig



Relevant Pages

  • Firewalling
    ... Subject: Firewalling ... Ok, I've been fooling around with stateful firewalls, and when I portscan ... I'm not sure if I'm generating false ... FIN packet scan tells me that ALL my ports are open. ...
    (Focus-Linux)
  • Re: Notifying the infected?
    ... Whatever service that random node is providing? ... That doesn't mean that anyone has a right to scan for open ports on ... and - repeating myself - in any TCP/IP network probing ports ... A portscan is not necessarily the prelude to an attack. ...
    (comp.security.firewalls)
  • Nachtrag: Hilfe! Versucht jemand per ssh auf meinen Reichner zuzugreifen?
    ... Beispielsweise hat der Rechner mit der IP 203.94.155.122 folgende Ports ... Ich habe den Portscan nach ein paar minuten abgebrochen. ...
    (de.comp.sys.mac.internet)
  • Re: ABCNews backscan attack
    ... Since when is a portscan "normal traffic"? ... Why is ABCnews scanning my ports? ...
    (comp.security.misc)
  • Re: ABCNews backscan attack
    ... Since when is a portscan "normal traffic"? ... Why is ABCnews scanning my ports? ...
    (comp.security.firewalls)