Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
3
Helpful
8
Replies

Am I owned tcp port 27665?

fahim
Level 1
Level 1

‎10-17-2006 10:31 PM - edited ‎03-09-2019 04:34 PM

On my Cisco Router, I do a nmap from outside on the Internet. The result is:

" Interesting ports on *.*.50.1:

Not shown: 1676 closed ports

PORT STATE SERVICE

23/tcp filtered telnet

135/tcp filtered msrpc

1524/tcp filtered ingreslock

27665/tcp filtered Trinoo_Master

I am worried about the last two entries. The last nmap was done in Feb this year and I have confirmed that the two ports did not exist.

Though the state "filtered" is a solace but I am still concerned. How can O be sure that the system has not been compromised?

Also the current IOS Version on my Router is 12.4. It was the same case when I was using older v 12.2 on another router, so I thought maybe, it's an IOS issue and I upgraded my Router to 2811 with IOS v 12.4.

But as soon as I plugged it into the circuit, I realsied the nmap again gives the trinoo_master entry with state as filtered.

Where could lie the problem. Is it with my firewall configuration behind the router?

Labels:
0 Helpful
8 Replies 8

m.sir
Level 7
Level 7

‎10-18-2006 01:08 AM

Filtered means that a router is blocking connection attempts to that port, but it's not telling you if the port is open or closed. You can't reach it to detect that

check this link for more info

http://insecure.org/nmap/man/

M.

Hope that helps rate if it does

0 Helpful

fahim
Level 1
Level 1
In response to m.sir

‎10-18-2006 05:26 AM

Yes..I know that. But the port wasn't even getting listed when I ran the nmap a few months ago and since then, no changes have taken place, so why does is get listed now? How can I stop it from being listed while I do nmap?

0 Helpful

ethiel
Level 3
Level 3
In response to fahim

‎10-18-2006 08:41 AM

My guess is that your ISP may be blocking those ports due to abuse. I know some ISPs such as COX block a lot of ports to home users, and that's how it shows up. It could mean that you added an ACL on your border router to block those ports, but since it sounds like nothing changed I am guessing it's an ISP in the middle. Where are you scanning from? If it's a home connection, the same applies. Maybe your home provider is blocking the outbound traffic.

If you would like, I could try a scan from my host. If you want me to try, reply and I will e-mail your profile address.

-Eric

Please remember to rate all helpful posts.

fahim
Level 1
Level 1
In response to ethiel

‎10-18-2006 09:01 AM

The only ACL entries are deny ICMP any any,deny tcp any any eq telnet, permit ip any any on border router.

I cannot quite understand that if ISP blocks these ports due to abuse, where exactly does it block them? I am doing an nmap directly to my Router...please explain as I am a bit confused.

Yes..please send an email to my profile address and I'll send you the gateway's IP.

0 Helpful

ethiel
Level 3
Level 3
In response to fahim

‎10-18-2006 12:52 PM

I sent you an e-mail. Are you saying you are scanning from right outside the router scanning to the router? I assumed you were scanning from another Internet host, but if you are scanning while directly connected to the network, then it couldn't be the ISP after all.

-Eric

Please remember to rate all helpful posts.

0 Helpful

fahim
Level 1
Level 1
In response to ethiel

‎10-18-2006 06:30 PM

Your assumption was correct. I am not scanning directly into the serial port but via a Internet host.

The funy thing is, I tried to run an nmap on another router I know which is supported by same ISP and these ports doesn't show up on the scan though I am not sure if the scan takes the route via same routers in these two cases for it might be that a few set of routers in the ISP farm might be configured to block these ports a few still, might lack the block for Trinoo_Master and Ingress etc.

And yes...I have replied to your email.

0 Helpful

fahim
Level 1
Level 1
In response to ethiel

‎10-20-2006 06:26 PM

So Eric...did you run nmap on my interface?

What did you find?? Just wondering!! :)

0 Helpful

ethiel
Level 3
Level 3
In response to fahim

‎10-20-2006 08:31 PM

Oh, sorry. I replied to your e-mail yesterday, but maybe it didn't go through. I did scan your host twice. First I used the defaults from my NMAP, and showed several ports filtered. I then scanned the ports you were concerned about, and they did not show up filtered. That pretty much proves to me that the ISP you are scanning from is filtering the ports (or someone else on the path is). Someone on my end or yours was filtering several other ports I scanned on though.

I'll forward the results over again so I don't post the info here.

Hope this helps.

-Eric

Please remember to rate all helpful posts.

0 Helpful
Customers Also Viewed These Support Documents