[Dshield] Possible problem?
Roger A. Grimes
roger at banneretcs.com
Wed Mar 9 13:27:04 GMT 2005
They could be running a product that has MSDE embedded. Something like
200 consumer products have the client-version of SQL installed by
default. Telnet to the port and see what return information you get.
But don't rule out a false-positive. I recently invited an entire mail
list to port scan my network. I had 1000's of different IP addresses
scan me, and over a hundred people send me their results. Less than a
dozen were accurate. Most had tons of false-positives. I've yet to find
the port scanning tool that was 100% accurate, especially when scanning
cross-platform (i.e. scanner is running on one platform and target is
running on another). Also, if the target is running a firewall, they
often setup "fake" ports to capture packets to do "deep packet
inspection"...so that can lead to a pseudo false-positive.
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Paul Marsh
Sent: Monday, March 07, 2005 3:18 PM
To: list at lists.dshield.org
Subject: [Dshield] Possible problem?
I did a nmap scan on one of my users home systems. Its a typical
broadband connection default TCP scan revealed port 21, 25 and 80 open.
In the past I've found that these ports belong to the broadband modem.
I then did a -sU default UDP and found the following:
PORT STATE SERVICE
135/udp filtered msrpc
136/udp filtered profile
138/udp filtered netbios-dgm
1434/udp filtered ms-sql-m
135-138 typical MS stuff no?
1434 I know the user is not running SQL monitor. Is it likely the
system has SQL slammer/Sapphire running on it?
The system is XP home SP2
-------------- Sponsor Message ------------------------------------
SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
send all posts to list at lists.dshield.org To change your subscription
options (or unsubscribe), see:
More information about the list