Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: About Trinoo_Master on 27665 tcp

From: "Paul Melson" <pmelson () gmail com>
Date: Wed, 18 Oct 2006 16:40:54 -0400
-----Original Message-----
Subject: About Trinoo_Master on 27665 tcp


On my Cisco Router, I do a nmap from outside on the Internet. The result
is:

" Interesting ports on *.*.50.1:
Not shown: 1676 closed ports
PORT STATE SERVICE
23/tcp filtered telnet
135/tcp filtered msrpc
1524/tcp filtered ingreslock
27665/tcp filtered Trinoo_Master

I am worried about the last two entries. The last nmap was done in Feb

this year and I have confirmed 

that the two ports did not exist.
Though the state "filtered" is a solace but I am still concerned. How can

O be sure that the system has 

not been compromised?


http://insecure.org/nmap/man/man-port-scanning-techniques.html

Don't be.  The difference between "filtered" and "closed" is that for the
closed ports Nmap received a TCP RST packet for that port and for the
filtered ports it received no response (like a firewall drop) or an ICMP
unreachable packet.

I would say it's 99.9% likely that somewhere between your Nmap host and your
router a firewall or router is knocking down all traffic to those ports.

PaulM



------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: