Re: unadministered open ports

[Jacob Bresciani <jacob () bresciani ca>]

I'm jumping into this conversation a little late so I apologize if  
I'm missing facts.

Filtered ports just mean somewhere between the requesting machine and  
the answering machine the ports are being filtered. It doesn't mean  
that they are even open on the answering machine just that somewhere  
the requests got filtered by a gateway/firewall/... somewhere along  
the way. The filter could even be happening by personal software on  
the answering machine even if the ports are already closed, if the  
firewall says the ports are filtered then that is the reply that is  
sent back.

hope that helps somewhat.


Jacob Bresciani
Etraffic Solutions
jacob () etrafficsolutions com
Systems / Network Administrator
BUS (250) 658-8238 ex 39
FAX (250) 658-5936

"Passwords are like bubble gum, strongest when fresh, should never be  
used by groups and create a sticky mess when left laying around"

-anon


On Aug 11, 2005, at 9:44 AM, Peter Odigie wrote:

> What process spawned the ports?.
>
> Take for example the ports below from a workstation
> The ports that are "filtered"  are not supposed to be there, maybe the
> user is/has done something wrong.
>
> Do I have to put a filter on the my gateway?  but which ports do I
> filter?
>
> I guess I will finally have to go each of the computers and remove the
> offending process (maybe a malware) but is there a way to do this
> remotely?
>
> Interesting ports on
> (The 1653 ports scanned but not shown below are in state: closed)
> PORT     STATE    SERVICE
> 116/tcp  filtered ansanotify
> 135/tcp  open     msrpc
> 139/tcp  open     netbios-ssn
> 196/tcp  filtered dn6-smm-red
> 445/tcp  open     microsoft-ds
> 1025/tcp open     NFS-or-IIS
> 1076/tcp filtered sns_credit
> 2043/tcp filtered isis-bcast
> 3389/tcp open     ms-term-serv
> 5000/tcp open     UPnP
>
>
> Thanks
>
>
> Peter
>
>
>
>
> On Thu, 2005-08-11 at 17:01, Sean Crawford wrote:
>
> > What ports are they for a start?.
> >
> >
> > What process spawned the ports?.
> >
> >
> > *sigh*
> >
> > ---> -----Original Message-----
> > ---> From: Peter Odigie [mailto:petermariano () ncema gov ng]
> > ---> Sent: Wednesday, 10 August 2005 7:21 PM
> > ---> To: security-basics () securityfocus com
> > ---> Subject: unadministered open ports
> > --->
> > --->
> > ---> Hi All
> > --->
> > ---> I have noticed that anytime I do a nmap of my LAN I see ports  
> > that are
> > ---> not supposed to be open or used appearing as "filtered" on my
> > ---> workstations.  I get a feeling that they have been infected.   
> > I will
> > ---> want to control this and I will like if I can do it remotely.
> > --->
> > ---> Any help please
> > --->
> > ---> Peter
> > --->
> > --->
> > --->
> > ---> ________ Information from NOD32 ________
> > ---> This message was checked by NOD32 Antivirus System for Linux
> > ---> Mail Server.
> > --->   part000.txt - is OK
> > ---> http://www.nod32.com
> > --->
> > ---> __________ NOD32 1.1191 (20050810) Information __________
> > --->
> > ---> This message was checked by NOD32 antivirus system.
> > ---> http://www.eset.com
> > --->
> > --->