[Dshield] Obscure Question Part2

John Sage jsage at finchhaven.com
Tue Mar 16 03:04:23 GMT 2004


Paul:

Couple questions.

On Mon, Mar 15, 2004 at 09:12:28PM -0500, Paul Marsh wrote:
> Date: Mon, 15 Mar 2004 21:12:28 -0500
> From: "Paul Marsh" <pmarsh at nmefdn.org>
> To: <list at dshield.org>
> Subject: [Dshield] Obscure Question Part2
> 
> Below is the Nmap and Fport output of the same machine.  Nmap shows
> the ports open and Fport shows nothing listening on the ports.  After
> digging around I scanned a few other Adelphia cable modems and found
> the same ports open.  These must be the ports they use to manage the
> modems?

What brand of cable modem? Is it Adelphia's house brand?

To look at the nmap scan, it's weird that it's saying it "didn't find
at least one open and one closed TCP port" and then it finds 21, 389,
1002, and 1720 open, and at the same time it says "..1597 ports
scanned but not shown below are in state: filtered.." and it took 785
seconds to do all this.

Something seems to be confusing nmap considerably. What was the
command line? What OS platform was it run from?

And then, nmap doesn't see *any* of the various services/processes
that Fport shows, at least some of which might be visible from
outside.

And *other* Aldelphia customers have the same ports "open"?

I'm wondering if you're spot-on by saying that nmap is seeing
*something* open on the cable modem itself, but I'm wondering if the
box behind it is filtered out completely...

Kinda a combo cable modem/firewall?

Weird...

> Thanx, Paul 
>  
>  
> Starting nmap V. 3.00 ( www.insecure.org/nmap )
> 
> Warning: OS detection will be MUCH less reliable because we did not
> find at least 1 open and 1 closed TCP port
> 
> Insufficient responses for TCP sequencing (0), OS detection may be
> less accurate
> Insufficient responses for TCP sequencing (0), OS detection may be
> less accurate
> Insufficient responses for TCP sequencing (0), OS detection may be
> less accurate
> Interesting ports on .adelphia.net (xxx.xxx.xxx.xxx):
> (The 1597 ports scanned but not shown below are in state: filtered)
>   Port      State       Service
>   21/tcp    open        ftp                    
>  389/tcp    open        ldap                   
> 1002/tcp    open        unknown                
> 1720/tcp    open        H.323/Q.931            
> 
> Too many fingerprints match this host for me to give an accurate OS
> guess Nmap run completed -- 1 IP address (1 host up) scanned in 785
> seconds
>  
> SORRY ABOUT THE WORD WRAP :(
>  
> Pid Process Port Proto Path
>  416 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
>    8 System  -> 139 TCP
>    8 System  -> 445 TCP
>  752 MSTask  -> 1025 TCP C:\WINNT\system32\MSTask.exe
>    8 System  -> 1026 TCP
> 1124 ccApp -> 1028 TCP C:\Program Files\Common
> Files\SymantecShared\ccApp.exe
> 828 iexplore -> 1143 TCP C:\Program Files\Internet 
> Explorer\iexplore.exe
> 828 iexplore -> 1144 TCP C:\Program Files\Internet 
> Explorer\iexplore.exe
> 828 iexplore -> 1147 TCP C:\Program Files\Internet 
> Explorer\iexplore.exe
> 828 iexplore -> 1153 TCP C:\Program Files\Internet 
> Explorer\iexplore.exe
> 
> 8 System -> 137 UDP
> 8 System -> 138 UDP
> 8 System -> 445 UDP
> 220 lsass -> 500 UDP C:\WINNT\system32\lsass.exe
> 828 iexplore -> 1031 UDP C:\Program Files\Internet 
> Explorer\iexplore.exe



- John
-- 
"Mad cow? You'd be mad too, if someone was trying to eat you."




More information about the list mailing list