Security Basics mailing list archives
RE: Port open - help
From: Peter Rodger <prodger2008 () yahoo com>
Date: Wed, 9 Mar 2005 10:27:42 -0800 (PST)
Are you looking at the servers from inside the network or outside?
outside. I did "no fixup protocol smtp 25" already due to mail issue. Here is the nmap result from inside network: **************** Starting nmap 3.55-SP2 ( http://www.insecure.org/nmap ) at 2005-03-09 12:51 East ern Standard Time Failed to resolve given hostname/IP: nmap. Note that you can't use '/mask' AND '[1-4,7,100-]' style IP ranges Host (192.168.2.5) appears to be up ... good. Initiating Connect() Scan against 192.168.2.5 at 12:51 Adding open port 3389/tcp Adding open port 25/tcp Adding open port 135/tcp Adding open port 139/tcp Adding open port 1494/tcp Adding open port 445/tcp Adding open port 110/tcp The Connect() Scan took 333 seconds to scan 1660 ports. For OSScan assuming that port 25 is open and port 1 is closed and neither are fi rewalled WARNING: RST from port 25 -- is this port really open? WARNING: RST from port 25 -- is this port really open? WARNING: RST from port 25 -- is this port really open? WARNING: RST from port 25 -- is this port really open? WARNING: RST from port 25 -- is this port really open? (The 1653 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 25/tcp open smtp 110/tcp open pop3 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1494/tcp open citrix-ica 3389/tcp open ms-term-serv Device type: general purpose Running: Microsoft Windows NT/2K/XP OS details: Microsoft Windows XP Professional SP1 or Windows 2000 SP3 *************************** Here is the nmap result from outside network: using nmap -sT -v -P0 -O ip (The 1657 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 25/tcp open smtp 110/tcp open pop3 1494/tcp open citrix-ica Too many fingerprints match this host to give specific OS details TCP/IP fingerprint: SInfo(V=3.55-SP2%P=i686-pc-windows-windows%D=3/8%Time=422DE139%O=25%C=-1) T1(Resp=N) T2(Resp=N) T3(Resp=N) T4(Resp=N) T5(Resp=N) T6(Resp=N) T7(Resp=N) PU(Resp=N) ****************************************** Thanks! Peter --- Andrew Shore <andrew.shore () holistecs com> wrote:
Are you looking at the servers from inside the network or outside? If it's outside the network then you may be connecting to the PIX's fix up protocol sockets, these are protocol interception routines which do deep inspection of the data. Ie when you connect to a mail server behind a pix the pix will substitute the server id string with ****'s to hide the application running mail. It also restricts the command you can send to the pix and whole lot more. You may not actually have these ports open on the servers. If you have no mail servers behind the firewall run the command "no fixup smtp 25" on the firewall. Andy -----Original Message----- From: Peter Rodger [mailto:prodger2008 () yahoo com] Sent: 09 March 2005 17:31 To: Andrew Shore Subject: RE: Port open - help these ports are simply open on the PIX outside interface. Windoww 2000 and 1.8 Metaframe. not just Citrix servers and every static translated servers have ports 25/110 open. Do you know why? Thanks --- Andrew Shore <andrew.shore () holistecs com> wrote:Are you saying there is a rule on PIX to allow 24/110 or that these port are simply open? What versions of windows/citrix are you running? What services are installed (windows add/remove programs ->windows components) -----Original Message----- From: Peter Rodger [mailto:prodger2008 () yahoo com] Sent: 09 March 2005 17:12 To: Andrew Shore Subject: RE: Port open - help an empty black screen. What I found out that port 25/110 open on the PIX external interface, any server that has static mapping on the PIX has 25/110 open. I have no idea that 25/110 open on the PIX public interface and I did not open that ports on the PIX public interface. Why did other servers have these ports open even we didnotopen on these servers? Thanks! --- Andrew Shore <andrew.shore () holistecs com>wrote:25 is smtp and 110 is pop3 Have you installed any mail applications ? When you telnet on what is the logon message (ie Welcome to Microsoft SMTP Service Ver x.y? -----Original Message----- From: dave kleiman [mailto:dave () isecureu com] Sent: 09 March 2005 03:29 To: 'Peter Rodger'; security-basics () securityfocus com Subject: RE: Port open - help Peter, Have you tried to identify what process islisteningon those ports: Netstat -ano Tcpview
http://www.sysinternals.com/ntw2k/source/tcpview.shtml
Vision
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subc
onte nt=/resources/freetools.htm CurrPorts http://nirsoft.mirrorz.com/ Regards,___________________________________________________Dave Kleiman, CIFI, CISM, CISSP, ISSAP, ISSMP,MCSEwww.SecurityBreachResponse.com www.ComputerForensicInvestigations.com -----Original Message----- From: Peter Rodger[mailto:prodger2008 () yahoo com]Sent: Tuesday, March 08, 2005 13:27 To: security-basics () securityfocus com Subject: Port open - help Hi, all I just use nmap to scan our Citrix servers andfoundout ports 25 aqnd 110 open through public addresses. I can use telnet ip 25/110 and ports are open.But,no 25/110 services are installed on the Citrix servers. I used nmap to scan the Citrix servers using internal IP and ports 25/110 are not open.Weuse PIX 500 as a firewall. I did not open 25/110 for the Citrix servers onthefirewall. Why are 25/110 ports open and how do I solve them? Thanks for any help! Peter __________________________________ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com__________________________________ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/
__________________________________ Celebrate Yahoo!'s 10th Birthday! Yahoo! Netrospective: 100 Moments of the Web http://birthday.yahoo.com/netrospective/
Current thread:
- Port open - help Peter Rodger (Mar 08)
- RE: Port open - help dave kleiman (Mar 09)
- <Possible follow-ups>
- RE: Port open - help Mike (Mar 09)
- RE: Port open - help Peter Rodger (Mar 09)
- RE: Port open - help Beauford, Jason (Mar 09)
- RE: Port open - help Andrew Shore (Mar 09)
- RE: Port open - help Peter Rodger (Mar 09)