Re: Very strange nmap scan results

From: Adrian Sanabria (adrian.sanabria@gmail.com)
Date: Mon Sep 24 2007 - 17:20:26 EDT

• Next message: Rodrigo Dutra Salvalagio: "RE: Very strange nmap scan results"
• Previous message: Felonious Fish: "CREST Information"
• In reply to: Hans-J. Ullrich: "Re: Very strange nmap scan results"
• Next in thread: Mohr, James: "RE: Very strange nmap scan results"
• Reply: Mohr, James: "RE: Very strange nmap scan results"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Perhaps a different kind of scan will filter those out? I've seen this
happen long, long ago, but never tested different types of scans (for
example, since you tried a connect scan, try a SYN scan, etc...).

--Adrian

On 9/22/07, Hans-J. Ullrich <hans.ullrich@loop.de> wrote:
> Am Freitag 21 September 2007 schrieb Juan B:
> > > Hi all,
> > >
> > > For a client in scaning his Dmz from the internet.
> > >
> > > I know the servers are behind a pix 515 without any
> > > add security features ( they dont have any ips or
> > > the
> > > didnt enabled the ips feature of the pix). they also
> >
> > dont have any honeypot etc..
> >
> > > the strange is that two I receive too many open
> > > ports!
> > > for example I scan the mail relay and although just
> > > port 25 is open it report lots of more open ports!
> > > this is the nmap scan I issued:
> > >
> > > nmap -sT -vv -P0 -O -p1-1024 200.61.44.48/28 -oA
> > > cpsa.txt
> > >
> > > ( I changed the ip's here...)
> > >
> > > and the result for the mail relay for example are:
> > >
> > >
> > > nteresting ports on mail.cpsa.com (200.61.44.50):
> > > PORT STATE SERVICE
> > > 1/tcp open tcpmux
> > > 2/tcp open compressnet
> > > 3/tcp open compressnet
> > > 4/tcp open unknown
> > > 5/tcp open rje
> > > 6/tcp open unknown
> > > 7/tcp open echo
> > > 8/tcp filtered unknown
> > > 9/tcp open discard
> > > 10/tcp open unknown
> > > 11/tcp open systat
> > > 12/tcp open unknown
> > > 13/tcp open daytime
> > > 14/tcp open unknown
> > > 15/tcp open netstat
> > > 16/tcp open unknown
> > > 17/tcp open qotd
> > > 18/tcp filtered msp
> > > 19/tcp open chargen
> > > 20/tcp open ftp-data
> > > 21/tcp open ftp
> > > 22/tcp open ssh
> > > 23/tcp open telnet
> > > 24/tcp open priv-mail
> > > 25/tcp open smtp
> > > 26/tcp open unknown
> > > 27/tcp open nsw-fe
> > > 28/tcp open unknown
> > > 29/tcp open msg-icp
> > > 30/tcp open unknown
> > > 31/tcp open msg-auth
> > > 32/tcp open unknown
> > > 33/tcp open dsp
> > > 34/tcp open unknown
> > >
> > > this continues up to port 1024..
> > >
> > > any ideas how to eliminate so many false positives?
> > >
> > > thanks a lot,
> > >
> > > Juan
> >
> > ___________________________________________________________________________
> >_________
> >
> > > Catch up on fall's hot new shows on Yahoo! TV. Watch
> > > previews, get listings, and more!
> > > http://tv.yahoo.com/collections/3658
> >
> >
> > ___________________________________________________________________________
> >_________ Don't let your dream ride pass you by. Make it a reality with
> > Yahoo! Autos. http://autos.yahoo.com/index.html
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > ------------------------------------------------------------------------
>
> Hi Juan !
>
> Yes, this happnes, when there is a "firewall" running. I have portsentry
> running, and when I do a portscan, it seems, every ports are available.
> Indeed, they are not ! And if someone is scanning me, portsentry has already
> detected it and is executing the preconfigurated task (i.e. logging,
> diconnecting, putting IP into /etc/hosts.deny or whatever I told it)
>
> Best regards
>
> Hans
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Rodrigo Dutra Salvalagio: "RE: Very strange nmap scan results"
• Previous message: Felonious Fish: "CREST Information"
• In reply to: Hans-J. Ullrich: "Re: Very strange nmap scan results"
• Next in thread: Mohr, James: "RE: Very strange nmap scan results"
• Reply: Mohr, James: "RE: Very strange nmap scan results"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:08 EDT