RE: Port open - help

[Peter Rodger <prodger2008 () yahoo com>]

> Are you looking at the servers from inside the
> network or outside?
outside.

I did "no fixup protocol smtp 25" already due to mail
issue.

Here is the nmap result from inside network:
****************
Starting nmap 3.55-SP2 ( http://www.insecure.org/nmap
) at 2005-03-09 12:51 East
ern Standard Time
Failed to resolve given hostname/IP: nmap.  Note that
you can't use '/mask' AND
'[1-4,7,100-]' style IP ranges
Host (192.168.2.5) appears to be up ... good.
Initiating Connect() Scan against 192.168.2.5 at 12:51
Adding open port 3389/tcp
Adding open port 25/tcp
Adding open port 135/tcp
Adding open port 139/tcp
Adding open port 1494/tcp
Adding open port 445/tcp
Adding open port 110/tcp
The Connect() Scan took 333 seconds to scan 1660
ports.
For OSScan assuming that port 25 is open and port 1 is
closed and neither are fi
rewalled
WARNING:  RST from port 25 -- is this port really
open?
WARNING:  RST from port 25 -- is this port really
open?
WARNING:  RST from port 25 -- is this port really
open?
WARNING:  RST from port 25 -- is this port really
open?
WARNING:  RST from port 25 -- is this port really
open?
(The 1653 ports scanned but not shown below are in
state: closed)
PORT     STATE SERVICE
25/tcp   open  smtp
110/tcp  open  pop3
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1494/tcp open  citrix-ica
3389/tcp open  ms-term-serv
Device type: general purpose
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows XP Professional SP1 or
Windows 2000 SP3
***************************

Here is the nmap result from outside network:

using nmap -sT -v -P0 -O ip
(The 1657 ports scanned but not shown below are in
state: filtered)
PORT     STATE SERVICE
25/tcp   open  smtp
110/tcp  open  pop3
1494/tcp open  citrix-ica
Too many fingerprints match this host to give specific
OS details
TCP/IP fingerprint:
SInfo(V=3.55-SP2%P=i686-pc-windows-windows%D=3/8%Time=422DE139%O=25%C=-1)
T1(Resp=N)
T2(Resp=N)
T3(Resp=N)
T4(Resp=N)
T5(Resp=N)
T6(Resp=N)
T7(Resp=N)
PU(Resp=N)
******************************************

Thanks!

Peter


--- Andrew Shore <andrew.shore () holistecs com> wrote:

> Are you looking at the servers from inside the
> network or outside?
>
> If it's outside the network then you may be
> connecting to the PIX's fix
> up protocol sockets, these are protocol interception
> routines which do
> deep inspection of the data.
>
> Ie when you connect to a mail server behind a pix
> the pix will
> substitute the server id string with ****'s to hide
> the application
> running mail. It also restricts the command you can
> send to the pix and
> whole lot more.
>
> You may not actually have these ports open on the
> servers.
>
> If you have no mail servers behind the firewall run
> the command
>
> "no fixup smtp 25"
>
> on the firewall.
>
> Andy
>
> -----Original Message-----
> From: Peter Rodger [mailto:prodger2008 () yahoo com] 
> Sent: 09 March 2005 17:31
> To: Andrew Shore
> Subject: RE: Port open - help
>
> these ports are simply open on the PIX outside
> interface.
>
> Windoww 2000 and 1.8 Metaframe.  
>
> not just Citrix servers and every static translated
> servers have ports 25/110 open.
>
> Do you know why?
>
> Thanks
> --- Andrew Shore <andrew.shore () holistecs com> wrote:
> > Are you saying there is a rule on PIX to allow
> > 24/110 or that these port
> > are simply open?
> >
> > What versions of windows/citrix are you running?
> > What services are
> > installed (windows add/remove programs ->windows
> > components)
> >
> > -----Original Message-----
> > From: Peter Rodger [mailto:prodger2008 () yahoo com] 
> > Sent: 09 March 2005 17:12
> > To: Andrew Shore
> > Subject: RE: Port open - help
> >
> > an empty black screen.
> >
> >
> >
> > What I found out that port 25/110 open on the PIX
> > external interface, any server that has static
> > mapping
> > on the PIX has 25/110 open.  I have no idea that
> > 25/110 open on the PIX public interface and I did
> > not
> > open that ports on the PIX public interface.  Why
> > did
> > other servers have these ports open even we did
> not
> > open on these servers?
> >
> >
> > Thanks!
> > --- Andrew Shore <andrew.shore () holistecs com>
> wrote:
> > > 25 is smtp and 110 is pop3
> > >
> > > Have you installed any mail applications ?
> > >
> > > When you telnet on what is the logon message (ie
> > > Welcome to Microsoft
> > > SMTP Service Ver x.y?
> > >
> > > -----Original Message-----
> > > From: dave kleiman [mailto:dave () isecureu com] 
> > > Sent: 09 March 2005 03:29
> > > To: 'Peter Rodger';
> > > security-basics () securityfocus com
> > > Subject: RE: Port open - help
> > >
> > > Peter,
> > >
> > > Have you tried to identify what process is
> > listening
> > > on those ports:
> > >
> > > Netstat -ano
> > >
> > > Tcpview
http://www.sysinternals.com/ntw2k/source/tcpview.shtml
> > > Vision
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subc
> > > onte
> > > nt=/resources/freetools.htm
> > >
> > > CurrPorts http://nirsoft.mirrorz.com/
> > >
> > > Regards,
> ___________________________________________________
> > > Dave Kleiman, CIFI, CISM, CISSP, ISSAP, ISSMP,
> > MCSE
> > > www.SecurityBreachResponse.com
> > > www.ComputerForensicInvestigations.com
> > >
> > >
> > > -----Original Message-----
> > > From: Peter Rodger
> [mailto:prodger2008 () yahoo com]
> > > Sent: Tuesday, March 08, 2005 13:27
> > > To: security-basics () securityfocus com
> > > Subject: Port open - help
> > >
> > > Hi, all
> > >
> > > I just use nmap to scan our Citrix servers and
> > found
> > > out ports 25 aqnd
> > > 110
> > > open through public addresses.
> > > I can use telnet ip 25/110 and ports are open. 
> > But,
> > > no 25/110 services
> > > are
> > > installed on the Citrix servers.  I used nmap to
> > > scan the Citrix servers
> > > using internal IP and ports 25/110 are not open.
>
> > We
> > > use PIX 500 as a
> > > firewall.
> > >
> > > I did not open 25/110 for the Citrix servers on
> > the
> > > firewall.  Why are
> > > 25/110 ports open and how do I solve them?
> > >
> > >
> > > Thanks for any help!
> > >
> > > Peter
> > >
> > >
> > >
> > >
> > > __________________________________
> > > Celebrate Yahoo!'s 10th Birthday!
> > > Yahoo! Netrospective: 100 Moments of the Web
> > > http://birthday.yahoo.com/netrospective/
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> > protection around 
> > http://mail.yahoo.com 
>
>
>       
>               
> __________________________________ 
> Celebrate Yahoo!'s 10th Birthday! 
> Yahoo! Netrospective: 100 Moments of the Web 
> http://birthday.yahoo.com/netrospective/




        
                
__________________________________ 
Celebrate Yahoo!'s 10th Birthday! 
Yahoo! Netrospective: 100 Moments of the Web 
http://birthday.yahoo.com/netrospective/