hi Mike, thanks for your reply.
To give more info about my network: I'm running Debian unstable, 2.4-kernel with iptables, the network is only my machine on ip 192.168.0.1 and an externel ethernetcard and the w2k-machine on static ip 192.168.0.253. On the debian-box is snort installed for intrusion-detection, but not fully configurated. The filtered ports I think I can explain, thats the firewall on my linux machine, as soon as I nmap my firewall responds with what I put underneath this email. You say that the open ports seem to be normal, but when I look to the names of it they don't sound very undangerous to me. Also when I did nmaps in the past to the win2k-machine I didn't saw them. The last things we have changed in the old configuration on the w2k is that we have installed cygwin with almost all the packages on it, could that have something to do with it? anyway thanks here is the output from my firewall in my messages log: Feb 17 17:10:49 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18194 PROTO=TCP SPT=36170 DPT=6002 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:49 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14084 PROTO=TCP SPT=36226 DPT=6005 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:49 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58166 PROTO=TCP SPT=36300 DPT=137 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:49 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=36443 DPT=6008 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:49 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=14356 PROTO=TCP SPT=36472 DPT=6000 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:49 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=36521 DPT=6007 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=38102 PROTO=TCP SPT=36595 DPT=12345 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=53110 PROTO=TCP SPT=36673 DPT=2049 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=62968 PROTO=TCP SPT=36787 DPT=27665 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13056 PROTO=TCP SPT=36833 DPT=12346 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=36847 DPT=137 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=36888 DPT=138 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18416 PROTO=TCP SPT=37243 DPT=12345 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=65535 PROTO=TCP SPT=37286 DPT=139 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=37389 DPT=2049 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=37539 DPT=137 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17731 PROTO=TCP SPT=37540 DPT=27665 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=17731 PROTO=TCP SPT=37541 DPT=12346 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=37722 DPT=12345 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=37724 DPT=2049 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:50 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=37727 DPT=27665 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:51 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=44457 PROTO=TCP SPT=37747 DPT=27665 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:51 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=13056 PROTO=TCP SPT=37757 DPT=27665 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:52 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=37768 DPT=2049 WINDOW=5840 RES=0x00 SYN URGP=0 Feb 17 17:10:52 salamander kernel: DENIED PORT:IN= OUT=eth1 SRC=192.168.0.1 DST=192.168.0.253 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=TCP SPT=37776 DPT=2049 WINDOW=5840 RES=0x00 SYN URGP=0 On Sun, Feb 17, 2002 at 10:19:07AM -0500, Mike wrote: > This is a difficult question to answer without more knowledge of your > network, but I'll take a shot at it anyway. The open ports seem normal. > What is confusing is the filtered ports. The NMAP man page defines > filtered as > > "Filtered means that a firewall, filter, or other network > obstacle is covering the port and preventing nmap from > determining whether the port is open." > > It appears that there is some type of firewall between the NMAP > application and the Windows OS that is filtering out certain (generally > considered dangerous) ports. If all these PCs are on a single HUB like > most home networks have, then one of the PCs has port filtering turned > on. Windows and Linux are both capable of port filtering. > > Hope that helps, > Mike > > -----Original Message----- > From: Hans Steinraht [mailto:[EMAIL PROTECTED]] > Sent: Sunday, February 17, 2002 10:50 AM > To: debian-security > Subject: is there something hacked in my network? > > hi all, > > A few days ago I scanned the only win2k-machine in my littles > homenetwork > (consist of my debian-machine, the server, and a w2k-machine) with > nmap -sT 192.0.168.253. > > This was the result I got: > Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) > Interesting ports on (192.168.0.253): > (The 1527 ports scanned but not shown below are in state: closed) > Port State Service > 110/tcp open pop-3 > 135/tcp open loc-srv > 137/tcp filtered netbios-ns > 138/tcp filtered netbios-dgm > 139/tcp filtered netbios-ssn > 445/tcp open microsoft-ds > 1025/tcp open listen > 2049/tcp filtered nfs > 6000/tcp filtered X11 > 6001/tcp filtered X11:1 > 6002/tcp filtered X11:2 > 6003/tcp filtered X11:3 > 6004/tcp filtered X11:4 > 6005/tcp filtered X11:5 > 6006/tcp filtered X11:6 > 6007/tcp filtered X11:7 > 6008/tcp filtered X11:8 > 6009/tcp filtered X11:9 > 6050/tcp filtered arcserve > 12345/tcp filtered NetBus > 12346/tcp filtered NetBus > 27665/tcp filtered Trinoo_Master > > We couldn't find wat it was, but because we had planned to reinstall the > windows-machine for al longer time we did that this weekend. > > After installing windows we start to try to install debian also on the > windows-machine. > When we did that (from floppy's) the installation hangs when it tries to > make a connection to the internet through my debian-machine. > > The strange thing now is that after a clean install of win2k and the > half > installation of debian a scan with nmap to the machine shows exactly the > same as before. > > I don't know yet what it could be? > Is it possible that the install-floppy we have used to install linux on > the > windows machine were infected? > Could it be that there was something wrong on the windows-machine that a > normal format of all the disks didn't removed? > Or is there something wrong in the debian server? > > Maybe someone can give us some advise? > > thanks, > Hans > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
