Nmap Development mailing list archives
Phantom Windows ports 21, 389, 1002, 1720
From: Fyodor <fyodor () insecure org>
Date: Mon, 14 Apr 2003 12:17:14 -0700
In case anyone else has noticed phantom open ports on their Windows machines which don't show up under netstat, this Microsoft KB Article may provide the explanation. Rather than signifying a trojan installed by malicious parties, the phantom port symptoms may just be an "Internet Connection Firewall feature". See below: ----- Forwarded message from Simone Chemelli <Simone.Chemelli () serinf it> ----- Date: Sun, 13 Apr 2003 15:27:49 +0200 From: Simone Chemelli <Simone.Chemelli () serinf it> To: fyodor () insecure org Subject: Fw: Nmap 3.20: if you have time to explain why it behavies like this..SOLVED:-) Sorry to have you loose time. I found by my-self the solution. Again sorry.
From MS knowledge db ( http://support.microsoft.com):
This article was previously published under Q315846 SYMPTOMS If you turn on the Internet Connection Firewall feature in Windows XP and you try to use Telnet to connect to any valid IP address on port 389, the Telnet connection appears to be made successfully, even if the host is not listening on that port. The output from the netstat command shows that no local service is listening on port 389. This behavior also occurs with ports 21, 1002, and 1720. This behavior does not occur if you do not turn on the Internet Connection Firewall feature. CAUSE If the Internet Connection Firewall feature is on and you try to connect with Telnet to port 389, you actually connect to the local Lightweight Directory Access Protocol (LDAP) proxy that is part of the Firewall service. Simone Chemelli System integration ----- Forwarded by Simone Chemelli/serinf on 13/04/2003 15.28 ----- Simone Chemelli/serinf 13/04/2003 13.48 To fyodor () insecure org Subject Nmap 3.20: if you have time to explain why it behavies like this... Hi Fyodor. I'm using your nmap 3.20 under Suse 8.1 and kernel 2.4.19. The strange thing is that it says that 3 tcp ports are open ( 389, 1002 and 1720 ), on all my hosts. they are on different subnets with different firewall protecting them, so it sound strange to me that they all have those ports opened. The command I used was: [ Cut ] --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Phantom Windows ports 21, 389, 1002, 1720 Fyodor (Apr 14)