Re: Odd nmap result qaz and netbios on Linux

From: NeoSadist (
Date: 01/12/04

Date: Mon, 12 Jan 2004 07:26:13 -0700

hazzmat wrote:

> I remotely admin a system (small lan actually) that connects to the
> internet via dhcp on a small isp's dsl service.
> After christmas I contacted the gateway for this lan and generally
> looked around to make sure everything was shipshape.
> I apply updates to it (it's debian stable) but I hadn't logged in a
> couple of weeks with the holidays and all. I had changed the ssh host
> key and SSH gave me the possible man in the middle attack warning.(the
> firewall has the same name as a previous system but it is a new,
> different install-so I expect the key to cause a warning.)
> On a impulse I scanned it. Mind you the whole lan is Linux, not a
> windows system in there at all not even to visit. But the nmap scan showed
> 137/tcp filtered netbios-ns
> 138/tcp filtered netbios-dgm
> 139/tcp filtered netbios-ssn

Hmmmm. Are you sure you don't have Samba running? I'd disable and
uninstall Samba on all machines, both the client and server, and use NFS or
something else.

> and more alarming a highport listening: 7597 which nmap told me was
> associated with something called qaz --a windows trojan.
> Now I've been unable to figure out anything amiss within the system but
> I am unable to get to it and do something forensic like run chkrootkit
> from a cd live distribution. (I ran chkrootkit but if it's on the same
> drive/running kernel image as the system being checked I don't know that
> you can trust it) Nmap run from within the suspected system doesn't show
> the same ports open (the netbios crap or the qaz thing).
> I have not been contacting the other systems behind this
> firewall/gateway because I have been afraid that if the gateway is
> compromised logging to the other systems will just give the attacker the
> correct password.
> Tonight I tested out another idea, that the netbios crap and the qaz are
> somehow showing up from the ISP or some other system between me and the
> remote system. I ran the same nmap scan (narrowed to just what i want to
> see) on a ip address part of the same ISP's dsl netblock.
> Sure enough that system has netbios ports open but filtered and qaz
> (7597) listening and filtered too.
> What gives?


> Is the ISPs gateway system insecure or cracked?

Could be ...

> Is my password to the
> firewall compromised?

Could be ...

> any enlightenment appreciated
> ~/j.

Just make sure samba is NOT installed on ANY of your machines. That and the
lisa/lin-neighborhood stuff. Also, make sure that the firewalls on the
machines are not allowing those ports in, and that inetd/xinetd have not
got any listening ports on those ranges.

Small change can often be found under seat cushions.
                -- One of Lazarus Long's most penetrating insights