Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Something fishy going on here.

Options
  • 19-01-2002 12:37am
    #1
    phaxx
    Registered Users Posts: 1,842 ✭✭✭


    I have a box I take care of located in england, was putting ipchains on it and blocking some ports I don't want open to the world, came across something very odd.

    When I scan the machine from another one (located in the US) nmap lists port 600 ("ipcserver") as open, yet on the machine when I scan itself, it does not come up!

    nmap output, etc:

    From US box:

    Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )
    Strange SO_ERROR from connection to 217.72.168.146 (52) -- bailing scan: Operation now in progress
    Interesting ports on (217.72.168.146):
    (The 1537 ports scanned but not shown below are in state: closed)
    Port State Service
    <snip>
    600/tcp open ipcserver
    <snip>

    $ telnet sleepygeek.org 600
    Trying 217.72.168.146...
    telnet: connect to address 217.72.168.146: Network dropped connection on reset
    telnet: Unable to connect to remote host

    The nmap from the UK machine recieves "Connection refused" when trying to connect to it.

    600 is not shown as open from another US box.

    On a similar note, I'm given this:

    Strange SO_ERROR from connection to 217.72.168.146 (52) -- bailing scan: Operation now in progress

    when scanning from the first US box.

    So what's going on?


Comments

  • Options
    #2
    ecksor
    Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    While this is certainly very strange, I doubt it's a security issue as such. Would be interesting if anyone could offer any ideas as to why it's happening though, someone with more networking clue than me.

    Does that port repeatedly show up when you scan from that US box again? Does it show up as open on other hosts you nmap from there?


  • Options
    #3
    moist
    Closed Accounts Posts: 296 ✭✭moist


    Curious, are you running the same version of nmap of both machines ?
    nmap doesn't scan all 65,000 odd ports unless you ask it to and the ones that it
    scans by default probably increase from version to version (I've never checked).

    Use netstat to see what ports are open on the machine.
    If you are feeling paranoid see if you can find a static compile of netstat/lsof/similar
    and get it on to the box to see if there is anything on port 600.

    Also double check everything like your ipchains ruls and tcp_wrappers to see if they
    might be blocking connections to 600 from the local machine for some reason.

    The SO_ERROR just means (according to errno(2)) "Network dropped connection on reset".
    Usually it is supposed to mean that the remote machine droped the connection and rebooted,
    but it is most likely a result of your ipchains rules.


  • Options
    #4
    scojones
    Closed Accounts Posts: 7,230 ✭✭✭scojones


    I have an idea as to what it might be. Although i'm probably wrong. Do you run BitchX from sleepygeek.org? Sometimes when i'm using bitchx it opens a port on my box for a few mins then closes it. Which could be why you only see it from the american box (bad luck when you scan local as it could be closed again). i dunno though since it's port 600 it needs to be root-ran. Ordinary users can't open a port that low can they? hm..


  • Options
    #5
    phaxx
    Registered Users Posts: 1,842 ✭✭✭phaxx


    sjones: One user always has bx running, and occasionally I IRC from it.

    Port 600 shows up on every scan of sleepygeek.org from the US box.

    $ nmap troll.boards.ie

    Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )
    Strange SO_ERROR from connection to 195.218.115.65 (52) -- bailing scan: Operation now in progress
    Interesting ports on troll.boards.ie (195.218.115.65):
    (The 1542 ports scanned but not shown below are in state: filtered)
    Port State Service
    <snip>
    600/tcp open ipcserver

    $ nmap dahomelands.net

    Starting nmap V. 2.54BETA28 ( www.insecure.org/nmap/ )
    Strange SO_ERROR from connection to 66.70.14.72 (52) -- bailing scan: Operation now in progress
    <snip; repeated three times>
    Interesting ports on (66.70.14.72):
    (The 1532 ports scanned but not shown below are in state: closed)
    Port State Service
    <snip>
    600/tcp filtered ipcserver
    <snip>

    So, seems to be a problem with that machine only.

    What can it be? It's sitting on a wonky DSL connection that seems to bugger up every so often, so would I be right in blaming the ISP's equipment?


  • Options
    #6
    scojones
    Closed Accounts Posts: 7,230 ✭✭✭scojones


    i dunno phaxx, tis a bit weird alright. Try doing a "netstat -lp" locally and see if that helps. i Think those are the correct options.


  • Advertisement
  • Options
    #7
    ego
    Closed Accounts Posts: 21 ego


    I would imagine there is some local filtering on the US machine, i.e. it's probably filtering outgoing connections to certain ports (might even be on the DSL modem). Nmap the US machine from localhost and find out or check the local filtering rules if you have appropriate access.


  • Options
    #8
    scojones
    Closed Accounts Posts: 7,230 ✭✭✭scojones


    yeah netstat -lp on the local machine will show you what service is running on what port.


  • Options
    #9
    ecksor
    Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    That's the second time you've posted netstat -lp, but I don't know of any systems where those options do anything useful ...


  • Options
    #10
    scojones
    Closed Accounts Posts: 7,230 ✭✭✭scojones


    yeah sorry xor, and it's supposed to be netstat -lnp ;/ i'll leave you lot alone now.


Advertisement