What i'm trying to do is scan the whole Class "C" network to "discover"
which machines/nodes are present, at which IPs, and check those available
for their vulnerabilities.
There is no IPS in the network. The machine from which i'm running the scan
is without a firewall, and is conected to the network as one mode node (its
IP is "192.168.0.111" at this time, assigned by the networks DHCP).
The "ports" being returned for all unused IPs in the network are 21 and 25.
For example, i copied below the first unused IPs (#2, #3 and #4) from the
report that comes out after the scan. All unused IP's in the network come
out with the information below for ports 21 and 25. Sometimes it reports
for port 21 only, and sometimes for 25 only. But the fact is that there is
nothing in the network with the reported IP (checked via PING and port scan
with a port scanner such as SuperScan) but still is reported as if existed
and had a port open. Should't it just NOT appear...?
192.168.0.2 [Return to top]
ftp (21/tcp)
An unknown service is running on this port.
It is usually reserved for FTP
Plugin ID : 10330
A server is running on this port
Plugin ID : 17975
An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
Back Construction
Blade Runner
Cattivik FTP Server
CC Invader
Dark FTP
Doly Trojan
Fore
FreddyK
Invisible FTP
Juggernaut 42
Larva
MotIv FTP
Net Administrator
Ramen
RTB 666
Senna Spy FTP server
The Flu
Traitor 21
WebEx
WinCrash
Unless you know for sure what is behind it, you'd better
check your system
Anyway, don't panic, Nessus only found an open port. It may
have been dynamically allocated to some service (RPC...)
Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Plugin ID : 11157
smtp (25/tcp)
An unknown service is running on this port.
It is usually reserved for SMTP
Plugin ID : 10330
A server is running on this port
Plugin ID : 17975
An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
Ajan
Antigen
Barok
BSE
Email Password Sender - EPS
EPS II
Gip
Gris
Happy99
Hpteam mail
I love you
Kuang2
Magic Horse
MBT (Mail Bombing Trojan)
Moscow Email trojan
Naebi
NewApt worm
ProMail trojan
Shtirlitz
Stealth
Stukach
Tapiras
Terminator
WinPC
WinSpy
Unless you know for sure what is behind it, you'd better
check your system
Anyway, don't panic, Nessus only found an open port. It may
have been dynamically allocated to some service (RPC...)
Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Plugin ID : 11157
192.168.0.3 [Return to top]
smtp (25/tcp)
An unknown service is running on this port.
It is usually reserved for SMTP
Plugin ID : 10330
A server is running on this port
Plugin ID : 17975
An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
Ajan
Antigen
Barok
BSE
Email Password Sender - EPS
EPS II
Gip
Gris
Happy99
Hpteam mail
I love you
Kuang2
Magic Horse
MBT (Mail Bombing Trojan)
Moscow Email trojan
Naebi
NewApt worm
ProMail trojan
Shtirlitz
Stealth
Stukach
Tapiras
Terminator
WinPC
WinSpy
Unless you know for sure what is behind it, you'd better
check your system
Anyway, don't panic, Nessus only found an open port. It may
have been dynamically allocated to some service (RPC...)
Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Plugin ID : 11157
192.168.0.4 [Return to top]
ftp (21/tcp)
An unknown service is running on this port.
It is usually reserved for FTP
Plugin ID : 10330
A server is running on this port
Plugin ID : 17975
An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
Back Construction
Blade Runner
Cattivik FTP Server
CC Invader
Dark FTP
Doly Trojan
Fore
FreddyK
Invisible FTP
Juggernaut 42
Larva
MotIv FTP
Net Administrator
Ramen
RTB 666
Senna Spy FTP server
The Flu
Traitor 21
WebEx
WinCrash
Unless you know for sure what is behind it, you'd better
check your system
Anyway, don't panic, Nessus only found an open port. It may
have been dynamically allocated to some service (RPC...)
Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Plugin ID : 11157
smtp (25/tcp)
An unknown service is running on this port.
It is usually reserved for SMTP
Plugin ID : 10330
A server is running on this port
Plugin ID : 17975
An unknown service runs on this port.
It is sometimes opened by this/these Trojan horse(s):
Ajan
Antigen
Barok
BSE
Email Password Sender - EPS
EPS II
Gip
Gris
Happy99
Hpteam mail
I love you
Kuang2
Magic Horse
MBT (Mail Bombing Trojan)
Moscow Email trojan
Naebi
NewApt worm
ProMail trojan
Shtirlitz
Stealth
Stukach
Tapiras
Terminator
WinPC
WinSpy
Unless you know for sure what is behind it, you'd better
check your system
Anyway, don't panic, Nessus only found an open port. It may
have been dynamically allocated to some service (RPC...)
Solution: if a trojan horse is running, run a good antivirus scanner
Risk factor : Low
Plugin ID : 11157
-----Original Message-----
From: Michel Arboi [mailto:mikhail@nessus.org]
Sent: Wednesday, June 15, 2005 12:38 PM
To: Richie @ Firstpoint
Cc: nessus@list.nessus.org
Subject: Re: Why i'm i getting unused IPs in reports as if they had
ports open..
On Wed Jun 15 2005 at 20:08, Richie @ Firstpoint wrote:
If I run a scan under 192,168.0.0/24 i'm getting a report stating that
192,168.0.2 ... 192,168.0.99 as if they have 2 open ports.
Which ports exactly?
Are you running an IPS or something like this? Or scanning the machine
through a firewall?
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
