Security Incidents mailing list archives
RE: nmap reveals trinoo_master on router
From: "Maxime Ducharme" <mducharme () cybergeneration com>
Date: Mon, 23 Oct 2006 10:58:48 -0400
Hello nmap command structure (usually called documentation) can be found here : http://insecure.org/nmap/man/ I am not sure to understand the second question filtering can be done upwards, i.e. the ISP filters outgoing TCP 27765 to prevent Trinoo from spreading filtering can also be done by your gateway's ISP downwards, i.e. any incoming Trinoo packet is dropped this is not the same ISP so not the same routers and not the same configuration hping can help to find which router actually filters this port with something like this : hping2 --destport 27765 --syn --traceroute --tr-stop 1.2.3.4 where 1.2.3.4 is the cisco's IP HTH have a nice day Maxime -----Message d'origine----- De : Faheem SIDDIQUI [mailto:fahimdxb () gmail com] Envoyé : 20 octobre, 2006 22:20 À : Maxime Ducharme Cc : incidents () securityfocus com Objet : Re: nmap reveals trinoo_master on router Thanks Maxime Seems like this is the most probable cause as I have done portscans on machines internally and that hasn't revealed anything. While we are at it, I tried to find the nmap command line structure to only check for this port (27765) on my internal IP address range, but couldn't quite hit it so did full scans. What would be the nmap command structure (for future sake!) One mystery still exists. Yes! We have one sole ISP in the region and chances are that when I do this nmap from my home across to my target gateway, a lot of ISPs routers would fall thru the route and they might have been configured to drop this port but then, another router I know of , when I run nmap on it's serial, doesn't show this port Trinoo_Master in filtered state. For sure it's the same ISP's routers my second nmap also passes through and if it's ISP configuration, nmap to every router in the region should display this port..Correct? Maxime Ducharme wrote:
Some router between the scanner and the server drops packets adresses to these ports, thats why you see them as filtered It is common pratices for ISPs since these ports arent used by common net users I cannot tell if you system is compromised or not, but this scan reveals nothing abnormal HTH Maxime Ducharme -----Message d'origine----- De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de fahimdxb () gmail com Envoyé : 18 octobre, 2006 07:36 À : incidents () securityfocus com Objet : nmap reveals trinoo_master on router On my Cisco Router, I do a nmap scan from outside on the Internet. The result is: " Interesting ports on *.*.50.1: Not shown: 1676 closed ports PORT STATE SERVICE 23/tcp filtered telnet 135/tcp filtered msrpc 1524/tcp filtered ingreslock 27665/tcp filtered Trinoo_Master I am worried about the last two entries. The last nmap was done in Feb
this
year and I have confirmed that the two port entries (tcp 1524/27665) did
not
exist then. Though the port state "filtered" is a solace but I am still concerned. How can I be sure that the system has not been compromised? Also the current IOS Version of my Router 2811 is 12.4. It was the same
case
with open ports when I was using older Router Series 1700 v 12.2, so I thought maybe, it's an IOS issue and I upgraded my Router to 2811 with IOS
v
12.4 yesterday. But as soon as I plugged it into the circuit and did a re-scan, I realised the nmap again gives the trinoo_master entry with
state
as filtered. Where could lie the problem. Is it with my firewall (PIX 515)
configuration
behind the router? Please Advise!! I have seen Cisco's tech doc that exists here:
http://www.cisco.com/en/US/partner/tech/tk59/technologies_white_paper09186a0
080174a5b.shtml One of the solutions suggested therein is to implement "ip verify unicast reverse-path" on the serial interface, but am not sure what will it serve? Also, I suspect that I had other problems when I gave this command so I reversed it. "sh process cpu" only shows cpu utilisation of about 5-6%. Please advise!!
----------------------------------------------------------------------------
-- This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+
nations.
http://www.blackhat.com
----------------------------------------------------------------------------
--
------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
Current thread:
- nmap reveals trinoo_master on router fahimdxb (Oct 18)
- Re: nmap reveals trinoo_master on router Robin Sheat (Oct 18)
- <Possible follow-ups>
- RE: nmap reveals trinoo_master on router Dario Ciccarone (dciccaro) (Oct 18)
- RE: nmap reveals trinoo_master on router Maxime Ducharme (Oct 23)