Re: nmap showing port 21 (ftp) open, but port is actually closed

From: Andres Riancho (andres.riancho@gmail.com)
Date: Sun Sep 11 2005 - 17:42:25 EDT

• Next message: King Fuddler: "Re: nmap results"
• Previous message: Andres Riancho: "Re: Assessing a machine with 2 NICs"
• In reply to: Mike Jones: "nmap showing port 21 (ftp) open, but port is actually closed"
• Next in thread: Paul Day: "Re: nmap showing port 21 (ftp) open, but port is actually closed"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Mike,

    This could be a transparent proxy server that your ISP installed.

    A way to test if you are proxyed is:

gauss:~# tcptraceroute www.google.com 80
Selected device eth1, address 24.232.100.167, port 3539 for outgoing packets
Tracing the path to www.google.com (64.233.161.99) on TCP port 80 (www),
30 hops max
 1 * 10.17.1.1 7.865 ms *
 2 10.101.1.25 10.882 ms 13.205 ms 7.474 ms
 3 publica1.fibertel.com.ar (24.232.1.1) 7.483 ms 5.732 ms 8.831 ms
 4 64.233.161.99 [open] 7.639 ms 32.874 ms 13.350 ms

Only 4 hops for port 80. Strange ...
Lets see what happends for real...

gauss:~#traceroute 64.233.161.99
traceroute to 64.233.161.99 (64.233.161.99), 30 hops max, 38 byte packets
 1 * * *
 2 10.101.1.25 (10.101.1.25) 10.071 ms 8.694 ms 28.814 ms
 3 publica1.fibertel.com.ar (24.232.1.1) 7.851 ms 26.046 ms 11.893 ms
 4 10.101.21.85 (10.101.21.85) 11.420 ms 21.271 ms 8.380 ms
 5 bai1-cablevision-1-ar.bai.seabone.net (195.22.220.45) 7.919 ms
9.622 ms 20.910 ms
 6 ash1-new1-racc1.new.seabone.net (195.22.216.169) 188.225 ms
198.841 ms 183.207 ms
 7 eqixva-google-gige.google.com (206.223.115.21) 184.185 ms 183.390
ms 201.727 ms
 8 216.239.47.120 (216.239.47.120) 186.700 ms 183.013 ms
216.239.49.248 (216.239.49.248) 183.718 ms
 9 216.239.48.190 (216.239.48.190) 186.032 ms 184.994 ms
216.239.48.198 (216.239.48.198) 183.713 ms
10 64.233.161.99 (64.233.161.99) 183.273 ms 184.863 ms 186.683 ms

Well, this makes more sense to me :) . You could do the same test but
changing port 80 to 21.

Mike Jones wrote:

> Has anyone ever seen this before, nmap is showing port 21 to be open
> on a machine on the internet, but 21 is not listening on that
> machine. It happens to all machines I scan outside the local area
> network.
>
> Thanks in advance
>

-- 
Andrés Riancho
http://www.securearg.net/
 Secure from the Source
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: King Fuddler: "Re: nmap results"
• Previous message: Andres Riancho: "Re: Assessing a machine with 2 NICs"
• In reply to: Mike Jones: "nmap showing port 21 (ftp) open, but port is actually closed"
• Next in thread: Paul Day: "Re: nmap showing port 21 (ftp) open, but port is actually closed"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:52 EDT