From: Hans-J. Ullrich (hans.ullrich@loop.de)
Date: Sat Sep 22 2007 - 10:11:54 EDT
Am Freitag 21 September 2007 schrieb Juan B:
> > Hi all,
> >
> > For a client in scaning his Dmz from the internet.
> >
> > I know the servers are behind a pix 515 without any
> > add security features ( they dont have any ips or
> > the
> > didnt enabled the ips feature of the pix). they also
>
> dont have any honeypot etc..
>
> > the strange is that two I receive too many open
> > ports!
> > for example I scan the mail relay and although just
> > port 25 is open it report lots of more open ports!
> > this is the nmap scan I issued:
> >
> > nmap -sT -vv -P0 -O -p1-1024 200.61.44.48/28 -oA
> > cpsa.txt
> >
> > ( I changed the ip's here...)
> >
> > and the result for the mail relay for example are:
> >
> >
> > nteresting ports on mail.cpsa.com (200.61.44.50):
> > PORT STATE SERVICE
> > 1/tcp open tcpmux
> > 2/tcp open compressnet
> > 3/tcp open compressnet
> > 4/tcp open unknown
> > 5/tcp open rje
> > 6/tcp open unknown
> > 7/tcp open echo
> > 8/tcp filtered unknown
> > 9/tcp open discard
> > 10/tcp open unknown
> > 11/tcp open systat
> > 12/tcp open unknown
> > 13/tcp open daytime
> > 14/tcp open unknown
> > 15/tcp open netstat
> > 16/tcp open unknown
> > 17/tcp open qotd
> > 18/tcp filtered msp
> > 19/tcp open chargen
> > 20/tcp open ftp-data
> > 21/tcp open ftp
> > 22/tcp open ssh
> > 23/tcp open telnet
> > 24/tcp open priv-mail
> > 25/tcp open smtp
> > 26/tcp open unknown
> > 27/tcp open nsw-fe
> > 28/tcp open unknown
> > 29/tcp open msg-icp
> > 30/tcp open unknown
> > 31/tcp open msg-auth
> > 32/tcp open unknown
> > 33/tcp open dsp
> > 34/tcp open unknown
> >
> > this continues up to port 1024..
> >
> > any ideas how to eliminate so many false positives?
> >
> > thanks a lot,
> >
> > Juan
>
> ___________________________________________________________________________
>_________
>
> > Catch up on fall's hot new shows on Yahoo! TV. Watch
> > previews, get listings, and more!
> > http://tv.yahoo.com/collections/3658
>
>
> ___________________________________________________________________________
>_________ Don't let your dream ride pass you by. Make it a reality with
> Yahoo! Autos. http://autos.yahoo.com/index.html
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
Hi Juan !
Yes, this happnes, when there is a "firewall" running. I have portsentry
running, and when I do a portscan, it seems, every ports are available.
Indeed, they are not ! And if someone is scanning me, portsentry has already
detected it and is executing the preconfigurated task (i.e. logging,
diconnecting, putting IP into /etc/hosts.deny or whatever I told it)
Best regards
Hans
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:08 EDT