[Dshield] Possible problem?

Maxime Ducharme mducharme at cybergeneration.com
Wed Mar 9 15:03:48 GMT 2005


Another point :

It is possible that the ISP filters these, which
would explain some filtered ports that in fact arent
filtered on the host.

If you did a "-sU" scan with nmap and you see "closed"
ports, that means that the host replied with "ICMP port unreachable".

"filtered" means there was no response at all, usually
it is another device which would drop these (like a ISP's
router).

filtering these ports are a good idea since they are used
by worms or virus 95% of time.

By example, my ISP filters TCP 25, 135, 139, 445 and some
high ports used by known trojans.

Someone who scans me from the same network see a result,
but someone who scans me from another ISP see another
result.

HTH

Maxime Ducharme
Programmeur / Spécialiste en sécurité réseau

----- Original Message ----- 
From: "Roger A. Grimes" <roger at banneretcs.com>
To: "General DShield Discussion List" <list at lists.dshield.org>
Sent: Wednesday, March 09, 2005 8:27 AM
Subject: RE: [Dshield] Possible problem?


> They could be running a product that has MSDE embedded.  Something like
> 200 consumer products have the client-version of SQL installed by
> default. Telnet to the port and see what return information you get.
>
> But don't rule out a false-positive. I recently invited an entire mail
> list to port scan my network. I had 1000's of different IP addresses
> scan me, and over a hundred people send me their results.  Less than a
> dozen were accurate.  Most had tons of false-positives. I've yet to find
> the port scanning tool that was 100% accurate, especially when scanning
> cross-platform (i.e. scanner is running on one platform and target is
> running on another).  Also, if the target is running a firewall, they
> often setup "fake" ports to capture packets to do "deep packet
> inspection"...so that can lead to a pseudo false-positive.
>
> -----Original Message-----
> From: list-bounces at lists.dshield.org
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Paul Marsh
> Sent: Monday, March 07, 2005 3:18 PM
> To: list at lists.dshield.org
> Subject: [Dshield] Possible problem?
>
> I did a nmap scan on one of my users home systems.  Its a typical
> broadband connection default TCP scan revealed port 21, 25 and 80 open.
> In the past I've found that these ports belong to the broadband modem.
> I then did a -sU default UDP and found the following:
>
> PORT     STATE    SERVICE
> 135/udp  filtered msrpc
> 136/udp  filtered profile
> 138/udp  filtered netbios-dgm
> 1434/udp filtered ms-sql-m
>
> 135-138 typical MS stuff no?
>
> 1434 I know the user is not running SQL monitor.  Is it likely the
> system has SQL slammer/Sapphire running on it?
>
> The system is XP home SP2
>
> Thanx, Paul
>
> -------------- Sponsor Message ------------------------------------
> SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
> http://www.sans.org/orlando05
>
> _______________________________________________
> send all posts to list at lists.dshield.org To change your subscription
> options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
> -------------- Sponsor Message ------------------------------------
> SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
> http://www.sans.org/orlando05
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list