Re: What does this nmap report mean



On Tue, 28 Feb 2006 17:49:06 -0600, Harry Putnam wrote:

I've nmapped a host hitting my port 22 repeatedly and see this:

PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
135/tcp filtered msrpc
143/tcp open imap
443/tcp open https
445/tcp filtered microsoft-ds
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
10000/tcp open snet-sensor-mgmt
31337/tcp open Elite

Is this a zombie that doesn't now its controlled with a backdoor at
31337/tcp open Elite or just some sort of comeon filter or
something?

The machine is in Tai-wan or at least shows a TW IP.

You are in truly dangerous territory here (on comp.os.linux.security) to
be even acknowledging that you might have done an nmap scan (thousands
do). Those who oppose will not stop without threats or more. Those who
might agree may be intimidated from posting by previous experiences here.
Some of the people who post here think that they "own" the internet.

There is no law (I am no lawyer, as far as I know or can determine)
against scanning, yours or others'. See Tom Liston's post here. If you
read later, the page may be archived in the "previous" link. Not all
posts, it seems to me, are actually archived in their original form.
Here, he mentions tee shirts with "I tipped a computer with nmap", or some
such. Read it anyway every day. It is worth the time.

http://isc.sans.org/diary.php

It is titled: A Bunch Of Bull in a China Shop

I am really not any kind of expert, but the results you posted suggest
some things. All of those lower ports being open suggests a machine
without a firewall, which is probably compromised (0wn3d). The real
offender is somewhere else, and untraceable. Whoever owns (not 0wns) this
machine is clueless and/or careless, and will not change it even if
notified. Note that the 445/tcp filtered microsoft-ds and 135/tcp
filtered msrpc ports are filtered. Unfortunately, unless you can knock
her down clean on her ass, there isn't much you can do about it. I, for
myself, would really like to know that you did knock her down clean on her
ass. And note for legal purposes that I am not advocating any illegal or
antisocial actions.

I'll talk about the threats and other crap you hear from supposedly
"ethical" people here privately, or in some less hostile public forum.

Hope you are well.

.



Relevant Pages

  • Re: Source Code to Filter out WindowsMessenger POP-UPS
    ... rejecting all traffic on those same ports from any other IP. ... I just want to filter out ... >>sample code that compiles on Linux, ... >>apply pass/fail rules to - provided the router isn't one ...
    (microsoft.public.inetserver.iis.security)
  • Re: controling ports
    ... I have a dedicated filter up, ... Personal firewalls ... and do a few reg. ... > what ports it can and can't use. ...
    (microsoft.public.win2000.security)
  • Re: Port 135 Probes Continue
    ... I'm one who also doesn't believe the ISP ... should decide what ports to filter. ... linux intrusions vs. windows intrusions and factor in windows being on ...
    (comp.security.unix)
  • Re: Port 135 Probes Continue
    ... I'm one who also doesn't believe the ISP ... should decide what ports to filter. ... linux intrusions vs. windows intrusions and factor in windows being on ...
    (comp.security.unix)
  • Re: Port 135 Probes Continue
    ... I'm one who also doesn't believe the ISP ... should decide what ports to filter. ... linux intrusions vs. windows intrusions and factor in windows being on ...
    (comp.security.misc)