Security Incidents mailing list archives

strange, strange stuff

From: Max Gribov <max () DATATWIRL YI ORG>
Date: Mon, 26 Mar 2001 19:22:18 -0500

I did my weekly sweep of my machine, which involves portscans, log
reviews, etc, and during nmap'ing i came across this:

four consequtive nmaps below:

--------------------------------
Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
Strange read error from 127.0.0.1 (104): Operation now in progress
Strange read error from 127.0.0.1 (104): Operation now in progress
Strange read error from 127.0.0.1 (104): Operation now in progress
Interesting ports on localhost (127.0.0.1):
(The 65494 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
113/tcp    open        auth
1918/tcp   open        unknown
2643/tcp   open        unknown
4986/tcp   open        unknown
6000/tcp   open        X11

--------------------------------
Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
Strange read error from 127.0.0.1 (104): Operation now in progress
Interesting ports on localhost (127.0.0.1):
(The 65496 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
113/tcp    open        auth
2538/tcp   open        unknown
6000/tcp   open        X11

--------------------------------
Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
Strange read error from 127.0.0.1 (104): Operation now in progress
Interesting ports on localhost (127.0.0.1):
(The 65496 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
113/tcp    open        auth
3691/tcp   open        unknown
6000/tcp   open        X11

---------------------------------
Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
Strange read error from 127.0.0.1 (104): Operation now in progress
Strange read error from 127.0.0.1 (104): Operation now in progress
Interesting ports on localhost (127.0.0.1):
(The 65495 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
113/tcp    open        auth
2913/tcp   open        unknown
3765/tcp   open        unknown
6000/tcp   open        X11


As you can see, in each portscan "Strange read error from 127.0.0.1
(104): Operation now in progress" error was recieved as well as a strange
"opened" port, number of which seem to correspond to number of the above
error messages. If i telnet to the port, i get "connection refused", and
nothing shows up on netstat/lsof.
Has anyone ever seen anything like this? Can anyone suggest some
tool/technique to find out what is exactly going on on my machine?


Thanks in advance,

Max_

Current thread:

strange, strange stuff Max Gribov (Mar 26)
- Re: strange, strange stuff Hugo van der Kooij (Mar 26)
  - Re: strange, strange stuff Peter Moody (Mar 27)
  - Re: strange, strange stuff Erik (Mar 28)
- Re: strange, strange stuff Jason Boyer (Mar 27)