OK this just gets weirder..... Rootkit scans of guest OS show nothing. The extended nmap does not give more information.
TCPdump on guest OS shows connection, and response --- 13:27:30.482409 IP (tos 0x0, ttl 128, id 32613, offset 0, flags [DF], proto TCP (6), length 48) sdw2- xp.point-inc.local.2613 > 192.168.3.61.ftp: S, cksum 0x0a46 (correct), 3868525646:3868525646(0) win 6 4512 <mss 1460,nop,nop,sackOK> 13:27:30.487292 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 192.168.3. 61.ftp > sdw2-xp.point-inc.local.2613: R, cksum 0x32f7 (correct), 0:0(0) ack 3868525647 win 0 13:27:30.959248 IP (tos 0x0, ttl 128, id 32690, offset 0, flags [DF], proto TCP (6), length 48) sdw2- xp.point-inc.local.2613 > 192.168.3.61.ftp: S, cksum 0x0a46 (correct), 3868525646:3868525646(0) win 6 4512 <mss 1460,nop,nop,sackOK> 13:27:30.959304 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 192.168.3. 61.ftp > sdw2-xp.point-inc.local.2613: R, cksum 0x32f7 (correct), 0:0(0) ack 1 win 0 13:27:31.615777 IP (tos 0x0, ttl 128, id 32794, offset 0, flags [DF], proto TCP (6), length 48) sdw2- xp.point-inc.local.2613 > 192.168.3.61.ftp: S, cksum 0x0a46 (correct), 3868525646:3868525646(0) win 6 4512 <mss 1460,nop,nop,sackOK> 13:27:31.615813 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 192.168.3. 61.ftp > sdw2-xp.point-inc.local.2613: R, cksum 0x32f7 (correct), 0:0(0) ack 1 win 0 --- The port is connected and automatically closed after a short delay with guest OS running, however it STILL connects with guest OS suspended (just doesn't disconnect). I think that VMWare is doing something funky. Anyone with VMServer 2.0.0 what to confirm? Did/doesn't occur with an older version (1.0.4). Simon. _______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
