RE: nmap reveals trinoo_master on router

["Maxime Ducharme" <mducharme () cybergeneration com>]

Hello

nmap command structure (usually called documentation)
can be found here :
http://insecure.org/nmap/man/

I am not sure to understand the second question

filtering can be done upwards, i.e. the ISP filters
outgoing TCP 27765 to prevent Trinoo from spreading

filtering can also be done by your gateway's ISP
downwards, i.e. any incoming Trinoo packet is dropped

this is not the same ISP so not the same routers and
not the same configuration

hping can help to find which router actually filters this
port with something like this :
hping2 --destport 27765 --syn --traceroute --tr-stop 1.2.3.4

where 1.2.3.4 is the cisco's IP

HTH

have a nice day

Maxime


-----Message d'origine-----
De : Faheem SIDDIQUI [mailto:fahimdxb () gmail com] 
Envoyé : 20 octobre, 2006 22:20
À : Maxime Ducharme
Cc : incidents () securityfocus com
Objet : Re: nmap reveals trinoo_master on router

Thanks Maxime

Seems like this is the most probable cause as I have done portscans on 
machines internally and that hasn't revealed anything. While we are at 
it, I tried to find the nmap command line structure to only check for 
this port (27765) on my internal IP address range, but couldn't quite 
hit it so did full scans. What would be the nmap command structure (for 
future sake!)

One mystery still exists. Yes! We have one sole ISP in the region and 
chances are that when I do this nmap from my home across to my target 
gateway, a lot of ISPs routers would fall thru the route and they might 
have been configured to drop this port but then, another router I know 
of , when I run nmap on it's serial, doesn't show this port 
Trinoo_Master in filtered state. For sure it's the same ISP's routers my 
second nmap also passes through and if it's ISP configuration, nmap to 
every router in the region should display this port..Correct?


Maxime Ducharme wrote:
> Some router between the scanner and the server drops packets
> adresses to these ports, thats why you see them as filtered
>
> It is common pratices for ISPs since these ports arent used
> by common net users
>
> I cannot tell if you system is compromised or not,
> but this scan reveals nothing abnormal
>
> HTH
>
> Maxime Ducharme
>
> -----Message d'origine-----
> De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De
> la part de fahimdxb () gmail com
> Envoyé : 18 octobre, 2006 07:36
> À : incidents () securityfocus com
> Objet : nmap reveals trinoo_master on router
>
> On my Cisco Router, I do a nmap scan from outside on the Internet. The
> result is:
>
> " Interesting ports on *.*.50.1:
>
> Not shown: 1676 closed ports
> PORT      STATE    SERVICE
> 23/tcp    filtered telnet
> 135/tcp   filtered msrpc
> 1524/tcp  filtered ingreslock
> 27665/tcp filtered Trinoo_Master
>
> I am worried about the last two entries. The last nmap was done in Feb
this
> year and I have confirmed that the two port entries (tcp 1524/27665) did
not
> exist then.
> Though the port state "filtered" is a solace but I am still concerned. How
> can I be sure that the system has not been compromised?
>
> Also the current IOS Version of my Router 2811 is 12.4. It was the same
case
> with open ports when I was using older Router Series 1700 v 12.2, so I
> thought maybe, it's an IOS issue and I upgraded my Router to 2811 with IOS
v
> 12.4 yesterday. But as soon as I plugged it into the circuit and did a
> re-scan, I realised the nmap again gives the trinoo_master entry with
state
> as filtered.
>
> Where could lie the problem. Is it with my firewall (PIX 515)
configuration
> behind the router?
> Please Advise!!
>
> I have seen Cisco's tech doc that exists here:
http://www.cisco.com/en/US/partner/tech/tk59/technologies_white_paper09186a0
> 080174a5b.shtml
>
> One of the solutions suggested therein is to implement "ip verify unicast
> reverse-path" on the serial interface, but am not sure what will it serve?
> Also, I suspect that I had other problems when I gave this command so I
> reversed it.
>
> "sh process cpu" only shows cpu utilisation of about 5-6%.
> Please advise!!
----------------------------------------------------------------------------
> --
> This List Sponsored by: Black Hat
>
> Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las
> Vegas. 
> World renowned security experts reveal tomorrow's threats today. Free of 
> vendor pitches, the Briefings are designed to be pragmatic regardless of
> your 
> security environment. Featuring 36 hands-on training courses and 10
> conference 
> tracks, networking opportunities with over 2,500 delegates from 40+
nations.
> http://www.blackhat.com
----------------------------------------------------------------------------
> --
>
>
>
>   



------------------------------------------------------------------------------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

http://www.blackhat.com
------------------------------------------------------------------------------