[Dshield] Possible problem?

Paul Marsh pmarsh at nmefdn.org
Wed Mar 9 15:37:10 GMT 2005


Thanx to all that responded.  I think I'm dealing with false positives
generated by my firewall.  A scan from home reports these ports are
closed.

Thanx, Paul  

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Roger A. Grimes
Sent: Wednesday, March 09, 2005 8:27 AM
To: General DShield Discussion List
Subject: RE: [Dshield] Possible problem?

They could be running a product that has MSDE embedded.  Something like
200 consumer products have the client-version of SQL installed by
default. Telnet to the port and see what return information you get.

But don't rule out a false-positive. I recently invited an entire mail
list to port scan my network. I had 1000's of different IP addresses
scan me, and over a hundred people send me their results.  Less than a
dozen were accurate.  Most had tons of false-positives. I've yet to find
the port scanning tool that was 100% accurate, especially when scanning
cross-platform (i.e. scanner is running on one platform and target is
running on another).  Also, if the target is running a firewall, they
often setup "fake" ports to capture packets to do "deep packet
inspection"...so that can lead to a pseudo false-positive. 

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Paul Marsh
Sent: Monday, March 07, 2005 3:18 PM
To: list at lists.dshield.org
Subject: [Dshield] Possible problem?

I did a nmap scan on one of my users home systems.  Its a typical
broadband connection default TCP scan revealed port 21, 25 and 80 open.
In the past I've found that these ports belong to the broadband modem.
I then did a -sU default UDP and found the following:

PORT     STATE    SERVICE
135/udp  filtered msrpc
136/udp  filtered profile
138/udp  filtered netbios-dgm
1434/udp filtered ms-sql-m

135-138 typical MS stuff no?

1434 I know the user is not running SQL monitor.  Is it likely the
system has SQL slammer/Sapphire running on it?

The system is XP home SP2

Thanx, Paul

-------------- Sponsor Message ------------------------------------
SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
http://www.sans.org/orlando05

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription
options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

-------------- Sponsor Message ------------------------------------
SANS Intrusion Immersion Training: Orlando, FL, February 3-9th
http://www.sans.org/orlando05

_______________________________________________
send all posts to list at lists.dshield.org To change your subscription
options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list