Re: why there are some sightless ports in my machine??

From: Colonel Flagg (colonel_flagg@NOSOUPFORJ00internetwarzone.org)
Date: 04/16/03 

From: colonel_flagg@NOSOUPFORJ00internetwarzone.org (Colonel Flagg)
Date: Wed, 16 Apr 2003 02:24:38 -0400

In article <b7ir1j$f8h$1@mail.cn99.com>, atu@166.com says...
> I check my machine with netstat -nap
> and only 22,25...etc, but I scan with
> another mechine by nmap, there are more "filtered"
> port 5800, 5900, 445, and I have no program
> using those ports! and I check netstat -nap,
> there are no such ports at all!!
>
> I use Redhat 7.2 latest update version
> and following is the result of nmap -v -v -sS -p 1-65535
>
> Port State Service
> 22/tcp open ssh
> 25/tcp open smtp
> 80/tcp open http
> 110/tcp open pop-3
> 443/tcp open https
> 445/tcp filtered microsoft-ds
> 1080/tcp open socks
> 5800/tcp filtered vnc-http
> 5900/tcp filtered vnc
> 9999/tcp open unknown
>
> and my nmap version is 3.00.
>
> what is the problem of my Redhat or weakness of nmap??
> I checked and scanned my Redhat 8.0 machines,
> they have no such "filtered" port,
> and I am sure I have not set a firewall
> between them and no ipchains or iptables.
>
> is it possible doings of a cracker??
>
>
> Thanks!
>
>
>

There's several logical things that *could* cause this. To hypothesize a
bit, take an ISP's firewall/filter for instance, for some reason, they
could be running a filter for those ports, which a scan from an "out of
the subnet" box would reveal filtered ports.

Of course, there could be a rootkit installed, whereby netstat isn't
reporting what it should be. Try downloading a rootkit check package and
see if it shows any positive hits for a rootkit. Also, you may want to
scan another IP on the subnet, as a test to see if *something* is
filtering ports. 

-- 
Colonel Flagg
http://www.internetwarzone.org/
Privacy at a click:
http://www.cotse.net 
Wanna ask a question in Usenet?
http://www.tuxedo.org/~esr/faqs/smart-questions.html
Everything about Usenet answered:
http://www.internetwarzone.org/answers.html
America WILL NOT forget 9-11-01

Relevant Pages

  • Re: why there are some sightless ports in my machine??
    ... > I check my machine with netstat -nap ... > there are no such ports at all!! ... the subnet" box would reveal filtered ports. ... Of course, there could be a rootkit installed, whereby netstat isn't ...
    (comp.security.misc)
  • Re: why there are some sightless ports in my machine??
    ... > I check my machine with netstat -nap ... > there are no such ports at all!! ... the subnet" box would reveal filtered ports. ... Of course, there could be a rootkit installed, whereby netstat isn't ...
    (alt.computer.security)
  • Re: hacked?
    ... So I ssh'd in and did a netstat and saw what looked like an unwanted SSH connection... ... On the local host type nmap -sV localhost -p 1-65535 to see what ports respond and which apps/services. ...
    (comp.os.linux.misc)
  • Win2k Netstat sockets interpretation
    ... BUT, netstat /a indicates netbios ports 137,138,139,445 listening when I allow ZA to allow T-bird to act as a server to connect to the ... but Akamaitech~ is frequently there and firefox always has 4 connections local and 4 remote open inaddition to the url i am browsing???? ... The output from Ethereal showed a big download in the background from google...hex and what looks like certificates or host file additions to banks .....I no option to control F.F. updates and like to know when/what is updated since permissions and options have a nasty habit of being reset to 'lame' when updates happen silently ...
    (alt.computer.security)
  • Re: a tool like nestat
    ... netstat -b that will show you the programs associated with the ports in use. ... > a certified computer examiner, learn to recover trace data left behind by ...
    (Security-Basics)
Quantcast