Re: About Trinoo_Master on 27665 tcp

[griffkc () gmail com]

To really be sure try netcat'ing or telnet'ing to those ports while running a pcap.
Sent via BlackBerry from T-Mobile  

-----Original Message-----
From: "Paul Melson" <pmelson () gmail com>
Date: Wed, 18 Oct 2006 16:40:54 
To:"'Faheem SIDDIQUI'" <fahimdxb () gmail com>,<pen-test () securityfocus com>
Subject: RE: About Trinoo_Master on 27665 tcp

-----Original Message-----
Subject: About Trinoo_Master on 27665 tcp

> On my Cisco Router, I do a nmap from outside on the Internet. The result
> is:
>
> " Interesting ports on *.*.50.1:
> Not shown: 1676 closed ports
> PORT STATE SERVICE
> 23/tcp filtered telnet
> 135/tcp filtered msrpc
> 1524/tcp filtered ingreslock
> 27665/tcp filtered Trinoo_Master
>
> I am worried about the last two entries. The last nmap was done in Feb
this year and I have confirmed 
> that the two ports did not exist.
> Though the state "filtered" is a solace but I am still concerned. How can
O be sure that the system has 
> not been compromised?

http://insecure.org/nmap/man/man-port-scanning-techniques.html

Don't be.  The difference between "filtered" and "closed" is that for the
closed ports Nmap received a TCP RST packet for that port and for the
filtered ports it received no response (like a firewall drop) or an ICMP
unreachable packet.

I would say it's 99.9% likely that somewhere between your Nmap host and your
router a firewall or router is knocking down all traffic to those ports.

PaulM



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------