Jogi Hofmueller <[EMAIL PROTECTED]> writes: > lately i was running nmap to check my office machine. to my surprise i > found an open port 'cadsi-lm' (1387). running nmap again the port was not > there anymore. on future runs i found my machine listening on different > registered non-privileged ports but i never found any daemon nor nothing > with lsof. the event is not reproduceable. the same port never shows up > again. tcpdump didn't produce any helpful output.
<sigh> Why do people persist in using nmap at test phase? Sure, if you've been cracked, scan yourself if you want, but if you're looking to see `what do I have open?' then nmap is the *last* tool I'd use. Look at nmap-services and note how many of /proc/sys/net/ipv4/ip_local_port_range are given names because some crummy company has used them before now. Go back to sudo netstat -plan | grep LIST and that'll tell you what's listening, and more importantly, it'll tell you what interface(s) the listeners have bound to, as well. (Of course, equivalents with lsof and fuser can be useful too if you like them.) > so my question: has anyone ever noticed something like this? could it be > a bug in nmap (i'm using V. 2.12 from debian/potato which seems to be the > newest version)? [snip] Do you run gnome-terminal? gdm and/or kdm[i]? ISTM far more likely that it was a legitimate process setting up a fairly transient listener than that it was any such worm, although you may well be the first ;) ~Tim Footnotes: [i] these are known to listen most frequently *on* 1024, especially if started as part of the boot sequence. -- A big sky above me, |[EMAIL PROTECTED] West winds blow. |http://spodzone.org.uk/