Security Incidents mailing list archives
nmap reveals trinoo_master on router
From: fahimdxb () gmail com
Date: 18 Oct 2006 11:35:34 -0000
On my Cisco Router, I do a nmap scan from outside on the Internet. The result is: " Interesting ports on *.*.50.1: Not shown: 1676 closed ports PORT STATE SERVICE 23/tcp filtered telnet 135/tcp filtered msrpc 1524/tcp filtered ingreslock 27665/tcp filtered Trinoo_Master I am worried about the last two entries. The last nmap was done in Feb this year and I have confirmed that the two port entries (tcp 1524/27665) did not exist then. Though the port state "filtered" is a solace but I am still concerned. How can I be sure that the system has not been compromised? Also the current IOS Version of my Router 2811 is 12.4. It was the same case with open ports when I was using older Router Series 1700 v 12.2, so I thought maybe, it's an IOS issue and I upgraded my Router to 2811 with IOS v 12.4 yesterday. But as soon as I plugged it into the circuit and did a re-scan, I realised the nmap again gives the trinoo_master entry with state as filtered. Where could lie the problem. Is it with my firewall (PIX 515) configuration behind the router? Please Advise!! I have seen Cisco's tech doc that exists here: http://www.cisco.com/en/US/partner/tech/tk59/technologies_white_paper09186a0080174a5b.shtml One of the solutions suggested therein is to implement "ip verify unicast reverse-path" on the serial interface, but am not sure what will it serve? Also, I suspect that I had other problems when I gave this command so I reversed it. "sh process cpu" only shows cpu utilisation of about 5-6%. Please advise!! ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- nmap reveals trinoo_master on router fahimdxb (Oct 18)
- Re: nmap reveals trinoo_master on router Robin Sheat (Oct 18)
- <Possible follow-ups>
- RE: nmap reveals trinoo_master on router Dario Ciccarone (dciccaro) (Oct 18)
- RE: nmap reveals trinoo_master on router Maxime Ducharme (Oct 23)