Security Incidents mailing list archives
stranges response for Linux => 2.2.15
From: Eduardo Romero <edo () LINUX CL>
Date: Fri, 23 Mar 2001 16:33:09 -0400
Hi guys: I recently installed nPulse ( http://www.horsburgh.com ), that uses nmap to simulate a backdoor test. nmap send the follow sintax for check UDP bouncing: /usr/bin/nmap -oM - -sU -p 1,52,53,2140,3150,10067,10167,31337 linux-machine ( things such BackOrifice, Doom, SubSeven, etc ). But some linux kernels response are different: (suppose domain only run in UDP ) In a 2.2.13 Box: Interesting ports on paine.xx.yy (111.222.333.1): (The 7 ports scanned but not shown below are in state: closed) Port State Service 53/udp open domain Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds But when you run over a 2.2.15 machine or higher : Starting nmap V. 2.50 by fyodor () insecure org ( www.insecure.org/nmap/ ) Interesting ports on zz.yy (111.222.333.2): Port State Service 1/udp open tcpmux 52/udp open xns-time 53/udp open domain 2140/udp open unknown 3150/udp open unknown 10067/udp open unknown 10167/udp open unknown 31337/udp open BackOrifice Nmap run completed -- 1 IP address (1 host up) scanned in 1 second Now . it's seems a problem with nmap calls to open an UDP socket , or like Linux response to o.k ,that in fact are really closed (yes.. really :) ). It's a kernel bug (Solaris & MS_world don't show this problem), but sometimes think a problem with RedHat distributions (mandrake and suse don't response this). Thanks in Advance Edo.
Current thread:
- stranges response for Linux => 2.2.15 Eduardo Romero (Mar 24)