Is my home computer at risk knowing that nmap says...
- From: "GM" <gaetan_martineau@xxxxxxxx>
- Date: 28 May 2006 02:13:28 -0700
Before I continue, let me tell that my home computer is some 10,000 km
away from me at the moment. My thinking goes: is it at risk knowing
that I here see, to my great surprise, on my linux laptop,
xxx.xxx.xxx.xxx being my IP at home:
nmap xxx.xxx.xxx.xxx | grep open | wc -l
1659
What ? 1659 open ports ? Sure looks to me as if the firewall went down.
This is *not-at-all* what I did expect... Ok then. I have Tripwire
running on a daily basis and mailing me the results. Everything here
seems fine (no change for the last two months). Also, as for services,
this computer is mailing me the running services, which did not change
either as I can read
netstat --inet -a | grep LISTEN | awk '{printf ("%s %d %d %s %s
%s\n",$1,$2,$3,$4,$5,$6)}'
tcp 0 0 *:1024 *:* LISTEN
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 *:netbios-ssn *:* LISTEN
tcp 0 0 *:1006 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:https *:* LISTEN
Yes, I know this is to be taken with a BIG grain of salt if the system
has ever been compromised. And well, if the firewall is down, well then
I can maybe ssh to my system as nmap report to me:
22/tcp open ssh
But I can't:
ssh xxx.xxx.xxx.xxx
ssh_exchange_identification: read: Connection reset by peer
Well, perhaps my ssh is configured for access only from my internal
network. Now two tests I do; (Yeah, the first is a bit not so much
netiquette maybe. But I am a bit paranoïd and want to be sure about my
home computer)
I run:
#!/bin/bash
i=yyy
while [ $i -lt zzz ] ; do
echo $i
nmap xxx..xxx.xxx.$i > nmapxxx.xxx.xxx.$i
i=$[i+1];
done
where (zzz==yyy+20) then scanning around my Ip for other results from
nmap. It turns out that all these show nearly the same output (to my
surprise):
wc -l nmapxxx.xxx.xxx.y[10]*
1665 nmapxxx.xxx.xxx.y00
1665 nmapxxx.xxx.xxx.y01
1592 nmapxxx.xxx.xxx.y02
1665 nmapxxx.xxx.xxx.y03
1665 nmapxxx.xxx.xxx.y04
1665 nmapxxx.xxx.xxx.y05
1665 nmapxxx.xxx.xxx.y06
1665 nmapxxx.xxx.xxx.y07
1665 nmapxxx.xxx.xxx.y08
1634 nmapxxx.xxx.xxx.y09
1665 nmapxxx.xxx.xxx.y10
1665 nmapxxx.xxx.xxx.y11
1665 nmapxxx.xxx.xxx.y12
1665 nmapxxx.xxx.xxx.y13
1635 nmapxxx.xxx.xxx.y14
1665 nmapxxx.xxx.xxx.y15
1665 nmapxxx.xxx.xxx.y16
1665 nmapxxx.xxx.xxx.y17
1665 nmapxxx.xxx.xxx.y18
I have a hard time believing all these computers around mine ALSO have
virtually no firewall... I can recognize my IAP name through reverse
DNS on each of the above IP. So what ? Could it be that my IAP
provider can "intercept" a scan and "report" spoofed results ? I doubt.
My IP here is aaa.bbb.ccc.ddd. Running.
nmap aaa.bbb.ccc.ddd
also gives tons of output (like 1600 lines showing "open" ) But, then,
I log to http://www.grc.com and ask for a scan of my ports on
aaa.bbb.ccc.ddd here. It says all ports except #2(closed) are stealth.
So what ? There is something from nmap that I don't understand.
Is my home computer at risk knowing that "nmap" on it reports 1659 open
ports ???
Any answer or comments on the above are most welcome. Thanks.
Gaetan
.
- Follow-Ups:
- Re: Is my home computer at risk knowing that nmap says...
- From: Moe Trin
- Re: Is my home computer at risk knowing that nmap says...
- From: Christian Hütter
- Re: Is my home computer at risk knowing that nmap says...
- Prev by Date: Re: arked Domains, Aliases, Domain Redirection and Domain Forwarding
- Next by Date: X.org 6.9.0 cheats me
- Previous by thread: arked Domains, Aliases, Domain Redirection and Domain Forwarding
- Next by thread: Re: Is my home computer at risk knowing that nmap says...
- Index(es):
Relevant Pages
|
