Re: Help understanding NMAP results

[Nikolai Alexandrov <voyager123bg () gmail com>]

Theodore Wynnychenko wrote:

> So, while looking around, I came across NMAP, and decided to use it to scan
> myself.  Went over to a friend's house, and ran an NMAP scan against myself
> (nmap -sS -v -P0 -O xx.xx.xx.xx), and it says "Discovered open port
> 5190/tcp".
>
>  
Try chkrootkit... is it possible the machine to be compromised? Do you 
have any active connections from that port? What does the "netstat -na" 
says? you are likely to find your port... Yet, if that is used only for 
firewall... there shouldn't be even single port open.

> Now, this really confuses me.  When I scan myself using "online" scanners
> (directed specifically at 5190), I get back that packets were
> dropped/"stealthed," but NMAP says its open.  I added a specific rule (in
> addition to the default drop policy) to drop anything to tcp 5190, but this
> made no difference.  The "online" scanners still say nothing there, NMAP
> still says its open.
>  
The -P0 does:
Do not try to ping hosts at  all  before  scanning  them.   This
allows  the  scanning  of  networks  that  don't allow ICMP echo
requests (or responses) through their  firewall.
It is only useful if your firewall doesn't return ICMP's :)

> NMAPs OS identification gives me several possibilities including "Linux
> 2.4.x|2.5.x," so NMAP does seem to be getting some imformation from the
> firewall.
>
>  
Nmap gets information for OS from various flags of  returned tcp 
packets... google "OS fingerprinting" for more info.

> TCP 5190 is apparently related to AOL IM, but this is not something I have
> ever used, and I can't think of any reason why the LEAF Firewall would have
> it open.
>
>  
Not necessarily related. It could be anything...

> What am I missing?
>
> Thanks in advance for any help.
>
> bye - ted
>
>
>
>