Network Security: Detailed info on Re: Very strange nmap scan results

Subject:	Re: Very strange nmap scan results
Date:	Sat, 22 Sep 2007 16:11:54 +0200

Am Freitag 21 September 2007 schrieb Juan B:

Hi all,

For a client in scaning his Dmz from the internet.

I know the servers are behind a pix 515 without any
add security features ( they dont have any ips or
the
didnt enabled the ips feature of the pix). they also


dont have any honeypot etc..

the strange is that two I receive too many open
ports!
for example I scan the mail relay and although just
port 25 is open it report lots of more open ports!
this is the nmap scan I issued:

nmap -sT -vv -P0 -O -p1-1024 200.61.44.48/28 -oA
cpsa.txt

( I changed the ip's here...)

and the result for the mail relay for example are:


nteresting ports on mail.cpsa.com (200.61.44.50):
PORT     STATE    SERVICE
1/tcp    open     tcpmux
2/tcp    open     compressnet
3/tcp    open     compressnet
4/tcp    open     unknown
5/tcp    open     rje
6/tcp    open     unknown
7/tcp    open     echo
8/tcp    filtered unknown
9/tcp    open     discard
10/tcp   open     unknown
11/tcp   open     systat
12/tcp   open     unknown
13/tcp   open     daytime
14/tcp   open     unknown
15/tcp   open     netstat
16/tcp   open     unknown
17/tcp   open     qotd
18/tcp   filtered msp
19/tcp   open     chargen
20/tcp   open     ftp-data
21/tcp   open     ftp
22/tcp   open     ssh
23/tcp   open     telnet
24/tcp   open     priv-mail
25/tcp   open     smtp
26/tcp   open     unknown
27/tcp   open     nsw-fe
28/tcp   open     unknown
29/tcp   open     msg-icp
30/tcp   open     unknown
31/tcp   open     msg-auth
32/tcp   open     unknown
33/tcp   open     dsp
34/tcp   open     unknown

this continues up to port 1024..

any ideas how to eliminate so many false positives?

thanks a lot,

Juan


___________________________________________________________________________
_________

Catch up on fall's hot new shows on Yahoo! TV. Watch
previews, get listings, and more!
http://tv.yahoo.com/collections/3658


     
___________________________________________________________________________
_________ Don't let your dream ride pass you by. Make it a reality with
Yahoo! Autos. http://autos.yahoo.com/index.html




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


Hi Juan !

Yes, this happnes, when there is a "firewall" running. I have portsentry 
running, and when I do a portscan, it seems, every ports are available. 
Indeed, they are not ! And if someone is scanning me, portsentry has already 
detected it and is executing the preconfigurated task (i.e. logging, 
diconnecting, putting IP into /etc/hosts.deny or whatever I told it)

Best regards

Hans


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
Very strange nmap scan results, Juan B Re: Very strange nmap scan results, Hans-J. Ullrich <= Re: Very strange nmap scan results, Adrian Sanabria RE: Very strange nmap scan results, Mohr, James RE: Very strange nmap scan results, Rodrigo Dutra Salvalagio Re: Very strange nmap scan results, jason_jones98

Previous by Date:	Re: R: WifiZoo v1.1, kevin horvath
Next by Date:	CREST Information, Felonious Fish
Previous by Thread:	Very strange nmap scan results, Juan B
Next by Thread:	Re: Very strange nmap scan results, Adrian Sanabria
Indexes:	[Date] [Thread] [Top] [All Lists]