Re: Strange open ports on windows machines

[Matt Carothers <matt () telepath com>]

On Thu, 21 Oct 1999, Christoph Schneeberger wrote:
 
> While scanning a customers public corporate website (on request) with nmap
> (2.3BETA6 and 2.02) I found the following open ports:
> Port    State       Protocol  Service
[...]
> 12345   filtered    tcp       NetBus   
>
> and udp:
> Port    State       Protocol  Service
[...]
> 31337   open        udp       BackOrifice  
>
> I then went with the customer through the following procedures:
[...] 
> -Running netstat -an on the server in question
>       The two ports 12345 tcp and 31337 udp where not shown, all other listening
> services were shown as expected.
> -installing Back Orificer Friendly from http://www.nfr.net/bof/ on the
> server (I hoped it would complain not being able to listen to 31337 udp)
>       Started and did not complain
> -I then connected to the server with 'netcat -u 31337' and typed some
> random chars which should normally trigger bof to pop-up and notify the user
>       Nothing happened, all other ports like i.e. pop3 triggered bof immediately
> So, am I missing a chapter or does this look like something really strange ? 

The nmap udp scan works by sending udp packets to the specified ports and
waiting for icmp port unreachable messages.  If the scanner doesn't get an icmp 
back, it assumes the port is open.  My guess is that a router or a firewall 
somewhere between your machine and the NT box is filtering 31337/udp.  Nmap 
wouldn't get a port unreachable back since the packet never hit the target 
machine, and you wouldn't be able to communicate with BOF on that port.

Looks like a similar situation for netbus.  Note that nmap lists it as
'filtered' rather than 'open.'  It's getting neither a SYN|ACK nor an RST
back so something is probably dropping your packets en route.

- Matt