Security Basics mailing list archives

Re: ghostly mail ports

From: "GSimmonds" <gsimmonds () primus ca>
Date: Sat, 11 Jan 2003 17:15:41 -0500


----- Original Message -----
From: "joe" <joseph.beard () btopenworld com>
To: <security-basics () securityfocus com>
Sent: Tuesday, January 07, 2003 7:45 PM
Subject: ghostly mail ports

192.168.0.1
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
TCP ports: 25 110 135 139 445


--------------------------------------------------------------------------

--

-

Scan finished at Wed Jan 08 00:37:09 2003

1 IP and 1000 ports scanned in 0 hours 0 mins 18.16 secs

but in netstat, activeports, fport they dont! does anybody know where they
have come from? i googled for ages but dont seem to be getting anywhere.


I'm curious about the discrepancy between the scanner and the port monitor
outputs. First thing I would do, if you're scanning from another machine, is
double check your IP address. If you're scanning from your machine, replace
192.168.0.1 with 127.0.0.1 and see what that shows.

You're correct in saying that an open port requires a process behind it.
Maybe you read this article already, might give you some ideas.
2. Windows Forensics: A Case Study, Part One
by Stephen Barish
http://online.securityfocus.com/infocus/1653

Of course, sans.org will also have some good walkthroughs.

Regards,

Gary

Current thread:

ghostly mail ports joe (Jan 09)
- Re: ghostly mail ports Brian Bruns (Jan 10)
- Re: ghostly mail ports KEvin (Jan 10)
- RE: ghostly mail ports David Gillett (Jan 10)
  - RE: ghostly mail ports Brian Bruns (Jan 10)
- Re: ghostly mail ports Florian Hobelsberger / BlueScreen (Jan 10)
- Re: ghostly mail ports adam (Jan 11)
- Re: ghostly mail ports John Jasen (Jan 11)
- Re: ghostly mail ports Don Voss (Jan 11)
- Re: ghostly mail ports GSimmonds (Jan 14)
- <Possible follow-ups>
- RE: ghostly mail ports Security Newsletters-TM (Jan 10)
- Re: ghostly mail ports joe (Jan 10)
  - Re: ghostly mail ports Brian Bruns (Jan 13)