From: griffkc@gmail.com
Date: Wed Oct 18 2006 - 21:19:35 EDT
To really be sure try netcat'ing or telnet'ing to those ports while running a pcap.
Sent via BlackBerry from T-Mobile
-----Original Message-----
From: "Paul Melson" <pmelson@gmail.com>
Date: Wed, 18 Oct 2006 16:40:54
To:"'Faheem SIDDIQUI'" <fahimdxb@gmail.com>,<pen-test@securityfocus.com>
Subject: RE: About Trinoo_Master on 27665 tcp
-----Original Message-----
Subject: About Trinoo_Master on 27665 tcp
> On my Cisco Router, I do a nmap from outside on the Internet. The result
> is:
>
> " Interesting ports on *.*.50.1:
> Not shown: 1676 closed ports
> PORT STATE SERVICE
> 23/tcp filtered telnet
> 135/tcp filtered msrpc
> 1524/tcp filtered ingreslock
> 27665/tcp filtered Trinoo_Master
>
> I am worried about the last two entries. The last nmap was done in Feb
this year and I have confirmed
> that the two ports did not exist.
> Though the state "filtered" is a solace but I am still concerned. How can
O be sure that the system has
> not been compromised?
http://insecure.org/nmap/man/man-port-scanning-techniques.html
Don't be. The difference between "filtered" and "closed" is that for the
closed ports Nmap received a TCP RST packet for that port and for the
filtered ports it received no response (like a firewall drop) or an ICMP
unreachable packet.
I would say it's 99.9% likely that somewhere between your Nmap host and your
router a firewall or router is knocking down all traffic to those ports.
PaulM
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:13 EDT