From: Andres Riancho (andres.riancho@gmail.com)
Date: Sun Sep 11 2005 - 17:42:25 EDT
Mike,
This could be a transparent proxy server that your ISP installed.
A way to test if you are proxyed is:
gauss:~# tcptraceroute www.google.com 80
Selected device eth1, address 24.232.100.167, port 3539 for outgoing packets
Tracing the path to www.google.com (64.233.161.99) on TCP port 80 (www),
30 hops max
1 * 10.17.1.1 7.865 ms *
2 10.101.1.25 10.882 ms 13.205 ms 7.474 ms
3 publica1.fibertel.com.ar (24.232.1.1) 7.483 ms 5.732 ms 8.831 ms
4 64.233.161.99 [open] 7.639 ms 32.874 ms 13.350 ms
Only 4 hops for port 80. Strange ...
Lets see what happends for real...
gauss:~#traceroute 64.233.161.99
traceroute to 64.233.161.99 (64.233.161.99), 30 hops max, 38 byte packets
1 * * *
2 10.101.1.25 (10.101.1.25) 10.071 ms 8.694 ms 28.814 ms
3 publica1.fibertel.com.ar (24.232.1.1) 7.851 ms 26.046 ms 11.893 ms
4 10.101.21.85 (10.101.21.85) 11.420 ms 21.271 ms 8.380 ms
5 bai1-cablevision-1-ar.bai.seabone.net (195.22.220.45) 7.919 ms
9.622 ms 20.910 ms
6 ash1-new1-racc1.new.seabone.net (195.22.216.169) 188.225 ms
198.841 ms 183.207 ms
7 eqixva-google-gige.google.com (206.223.115.21) 184.185 ms 183.390
ms 201.727 ms
8 216.239.47.120 (216.239.47.120) 186.700 ms 183.013 ms
216.239.49.248 (216.239.49.248) 183.718 ms
9 216.239.48.190 (216.239.48.190) 186.032 ms 184.994 ms
216.239.48.198 (216.239.48.198) 183.713 ms
10 64.233.161.99 (64.233.161.99) 183.273 ms 184.863 ms 186.683 ms
Well, this makes more sense to me :) . You could do the same test but
changing port 80 to 21.
Mike Jones wrote:
> Has anyone ever seen this before, nmap is showing port 21 to be open
> on a machine on the internet, but 21 is not listening on that
> machine. It happens to all machines I scan outside the local area
> network.
>
> Thanks in advance
>
-- Andrés Riancho http://www.securearg.net/ Secure from the Source ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:52 EDT