Board index Linux Security

localhost portscan detects 2 randomly opened and closed ports - other hosts cannot see these open

localhost portscan detects 2 randomly opened and closed ports - other hosts cannot see these open

Post by Jaso » Sun, 23 Dec 2001 08:41:49



This is strange.  I have a server (SuSE 7.1) which runs only SSHD and
BIND.  When scanned from a remote node it comes up as 22 and 53 only.
So initially everything seems kosher...
However when scanned from itself, it always detects open ports that
are immediately closed and revolved to other open ports.  These ports
are too small to be anything involved with SSH.  So for example ports
3184 and 1196 might be open on one scan, and then 4208 2220 on the
next run of scans.  The strange thing is they only remain open for a
few milliseconds.  I cannot telnet into them.  Not only that, but a
check of netstat or lsof reveals nothing.  Any ideas?  I've included a
couple scans below for reference...  Thanks to anyone with ideas about
this.

-Jason

******************************SNIP******************************
Suse 7.1 linuxserver:~ # netcat -z -v localhost 1-10000
localhost [127.0.0.1] 4208 (?) open
localhost [127.0.0.1] 2220 (ganymede) open
localhost [127.0.0.1] 53 (domain) open
localhost [127.0.0.1] 22 (ssh) open
Suse 7.1 linuxserver:~ # netcat -z -v localhost 1-10000
localhost [127.0.0.1] 3245 (?) open
localhost [127.0.0.1] 1257 (?) open
localhost [127.0.0.1] 53 (domain) open
localhost [127.0.0.1] 22 (ssh) open
******************************SNIP******************************

* remove ".nospam" to email me directly.

 
 
 
Top

1. Open ports when i scan my own box, closed when others scan it

I am trying to find out something. I am running Mandrake 7.2, and my
firewall that I am useing is LnxFire[Gnome] . When I do a Port scan on any
of the sites out there, it comes up clean and no ports open,everything is
stealth. When I do my own nmap scan, well i get this
631/tcp  open  unknown
1024/tcp  open  kdm
1026/tcp open  nterm
6000/tcp  open  X11
16001/tcp open   unknown
My Ip changes everytime, so i don't mind sharing this.

how is this when other scans outside the box get nothing? And also can
someone explain what these things that are open
[unknown,kdm,nterm,X11,unknown] are?I want to close these things up, I have
my firewall set that there is no servers at all on my system.

I am new to linux , but that doesn't stop me from wanting to learn
thanks for the help

silver

--
****************************************************************
Registered Linux User #215731
Licq #107395280

Enjoy Life........
;-)

2. xgopher and term

3. How detecting and closing opened ports?

4. How do i create a linux boot disk?

5. cannot open connection to localhost

6. Packet filtering firewall with IP CHAINS

7. Is it better to stat() each time, or close()/open() to detect deleted file?

8. Sources

9. OpenWin Filemgr: 'cannot open file: too many files open' ?

10. Help!!! open func - Cannot open subdirectory

11. cannot open /dev/mem: too many open files??

12. open ports - why are they open?

13. Why does the jdk ports use open-motif-devel rather than open-motif?


All times are UTC
Board index