Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Am I owned tcp port 27665?

On my Cisco Router, I do a nmap from outside on the Internet. The result is:

" Interesting ports on *.*.50.1:

Not shown: 1676 closed ports

PORT STATE SERVICE

23/tcp filtered telnet

135/tcp filtered msrpc

1524/tcp filtered ingreslock

27665/tcp filtered Trinoo_Master

I am worried about the last two entries. The last nmap was done in Feb this year and I have confirmed that the two ports did not exist.

Though the state "filtered" is a solace but I am still concerned. How can O be sure that the system has not been compromised?

Also the current IOS Version on my Router is 12.4. It was the same case when I was using older v 12.2 on another router, so I thought maybe, it's an IOS issue and I upgraded my Router to 2811 with IOS v 12.4.

But as soon as I plugged it into the circuit, I realsied the nmap again gives the trinoo_master entry with state as filtered.

Where could lie the problem. Is it with my firewall configuration behind the router?

8 REPLIES
Gold

Re: Am I owned tcp port 27665?

Filtered means that a router is blocking connection attempts to that port, but it's not telling you if the port is open or closed. You can't reach it to detect that

check this link for more info

http://insecure.org/nmap/man/

M.

Hope that helps rate if it does

New Member

Re: Am I owned tcp port 27665?

Yes..I know that. But the port wasn't even getting listed when I ran the nmap a few months ago and since then, no changes have taken place, so why does is get listed now? How can I stop it from being listed while I do nmap?

Silver

Re: Am I owned tcp port 27665?

My guess is that your ISP may be blocking those ports due to abuse. I know some ISPs such as COX block a lot of ports to home users, and that's how it shows up. It could mean that you added an ACL on your border router to block those ports, but since it sounds like nothing changed I am guessing it's an ISP in the middle. Where are you scanning from? If it's a home connection, the same applies. Maybe your home provider is blocking the outbound traffic.

If you would like, I could try a scan from my host. If you want me to try, reply and I will e-mail your profile address.

-Eric

Please remember to rate all helpful posts.

New Member

Re: Am I owned tcp port 27665?

The only ACL entries are deny ICMP any any,deny tcp any any eq telnet, permit ip any any on border router.

I cannot quite understand that if ISP blocks these ports due to abuse, where exactly does it block them? I am doing an nmap directly to my Router...please explain as I am a bit confused.

Yes..please send an email to my profile address and I'll send you the gateway's IP.

Silver

Re: Am I owned tcp port 27665?

I sent you an e-mail. Are you saying you are scanning from right outside the router scanning to the router? I assumed you were scanning from another Internet host, but if you are scanning while directly connected to the network, then it couldn't be the ISP after all.

-Eric

Please remember to rate all helpful posts.

New Member

Re: Am I owned tcp port 27665?

Your assumption was correct. I am not scanning directly into the serial port but via a Internet host.

The funy thing is, I tried to run an nmap on another router I know which is supported by same ISP and these ports doesn't show up on the scan though I am not sure if the scan takes the route via same routers in these two cases for it might be that a few set of routers in the ISP farm might be configured to block these ports a few still, might lack the block for Trinoo_Master and Ingress etc.

And yes...I have replied to your email.

New Member

Re: Am I owned tcp port 27665?

So Eric...did you run nmap on my interface?

What did you find?? Just wondering!! :)

Silver

Re: Am I owned tcp port 27665?

Oh, sorry. I replied to your e-mail yesterday, but maybe it didn't go through. I did scan your host twice. First I used the defaults from my NMAP, and showed several ports filtered. I then scanned the ports you were concerned about, and they did not show up filtered. That pretty much proves to me that the ISP you are scanning from is filtering the ports (or someone else on the path is). Someone on my end or yours was filtering several other ports I scanned on though.

I'll forward the results over again so I don't post the info here.

Hope this helps.

-Eric

Please remember to rate all helpful posts.

159
Views
3
Helpful
8
Replies
CreatePlease login to create content