Security Incidents mailing list archives

Re: strange, strange stuff

From: Jason Boyer <jason () BMH COM>
Date: Tue, 27 Mar 2001 09:35:10 -0500

Have you tried using nmap from another machine beside localhost? If so are
you getting the same strange readings?

I have seen times where certain linux boxes running X windows will do that
but nothing that frequent.

Cheers,
J

Max Gribov wrote:

I did my weekly sweep of my machine, which involves portscans, log
reviews, etc, and during nmap'ing i came across this:

four consequtive nmaps below:

--------------------------------
Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
Strange read error from 127.0.0.1 (104): Operation now in progress
Strange read error from 127.0.0.1 (104): Operation now in progress
Strange read error from 127.0.0.1 (104): Operation now in progress
Interesting ports on localhost (127.0.0.1):
(The 65494 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
113/tcp    open        auth
1918/tcp   open        unknown
2643/tcp   open        unknown
4986/tcp   open        unknown
6000/tcp   open        X11

--------------------------------
Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
Strange read error from 127.0.0.1 (104): Operation now in progress
Interesting ports on localhost (127.0.0.1):
(The 65496 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
113/tcp    open        auth
2538/tcp   open        unknown
6000/tcp   open        X11

--------------------------------
Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
Strange read error from 127.0.0.1 (104): Operation now in progress
Interesting ports on localhost (127.0.0.1):
(The 65496 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
113/tcp    open        auth
3691/tcp   open        unknown
6000/tcp   open        X11

---------------------------------
Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
Strange read error from 127.0.0.1 (104): Operation now in progress
Strange read error from 127.0.0.1 (104): Operation now in progress
Interesting ports on localhost (127.0.0.1):
(The 65495 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh
113/tcp    open        auth
2913/tcp   open        unknown
3765/tcp   open        unknown
6000/tcp   open        X11

As you can see, in each portscan "Strange read error from 127.0.0.1
(104): Operation now in progress" error was recieved as well as a strange
"opened" port, number of which seem to correspond to number of the above
error messages. If i telnet to the port, i get "connection refused", and
nothing shows up on netstat/lsof.
Has anyone ever seen anything like this? Can anyone suggest some
tool/technique to find out what is exactly going on on my machine?

Thanks in advance,

Max_

Current thread:

strange, strange stuff Max Gribov (Mar 26)
- Re: strange, strange stuff Hugo van der Kooij (Mar 26)
  - Re: strange, strange stuff Peter Moody (Mar 27)
  - Re: strange, strange stuff Erik (Mar 28)
- Re: strange, strange stuff Jason Boyer (Mar 27)