Jogi Hofmueller <[EMAIL PROTECTED]> writes:
> lately i was running nmap to check my office machine. to my surprise i
> found an open port 'cadsi-lm' (1387). running nmap again the port was not
> there anymore. on future runs i found my machine listening on different
> registered non-privileged ports but i never found any daemon nor nothing
> with lsof. the event is not reproduceable. the same port never shows up
> again. tcpdump didn't produce any helpful output.
<sigh> Why do people persist in using nmap at test phase? Sure, if you've
been cracked, scan yourself if you want, but if you're looking to see `what
do I have open?' then nmap is the *last* tool I'd use. Look at
nmap-services and note how many of /proc/sys/net/ipv4/ip_local_port_range
are given names because some crummy company has used them before now.
Go back to
sudo netstat -plan | grep LIST
and that'll tell you what's listening, and more importantly, it'll tell you
what interface(s) the listeners have bound to, as well. (Of course,
equivalents with lsof and fuser can be useful too if you like them.)
> so my question: has anyone ever noticed something like this? could it be
> a bug in nmap (i'm using V. 2.12 from debian/potato which seems to be the
> newest version)?
[snip]
Do you run gnome-terminal? gdm and/or kdm[i]? ISTM far more likely that it was
a legitimate process setting up a fairly transient listener than that it
was any such worm, although you may well be the first ;)
~Tim
Footnotes:
[i] these are known to listen most frequently *on* 1024, especially if
started as part of the boot sequence.
--
A big sky above me, |[EMAIL PROTECTED]
West winds blow. |http://spodzone.org.uk/
