From owner-freebsd-security  Tue Mar  6  0:19:13 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id 2B4C937B723
	for <freebsd-security@freebsd.org>; Tue,  6 Mar 2001 00:19:07 -0800 (PST)
	(envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Tue, 6 Mar 2001 00:17:08 -0800
Received: (from cjc@localhost)
	by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f268J5L16977;
	Tue, 6 Mar 2001 00:19:05 -0800 (PST)
	(envelope-from cjc)
Date: Tue, 6 Mar 2001 00:18:59 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Mike Silbersack <silby@silby.com>
Cc: "Giovanni P. Tirloni" <tirloni@techie.com>,
	freebsd-security@FreeBSD.ORG
Subject: Re: 31337
Message-ID: <20010306001859.B1367@cjc-desktop.users.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <Pine.BSF.4.33.0103052148300.15314-100000@mink.ath.cx> <Pine.BSF.4.31.0103051919430.9821-100000@achilles.silby.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.31.0103051919430.9821-100000@achilles.silby.com>; from silby@silby.com on Mon, Mar 05, 2001 at 07:22:41PM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Mar 05, 2001 at 07:22:41PM -0600, Mike Silbersack wrote:
> 
> On Mon, 5 Mar 2001, Giovanni P. Tirloni wrote:
> 
> > Hi folks,
> >
> >  Just to add some extra info I'd like to say that I've seen nmap reporting
> >  such open ports a lot of times while doing port scans on my machines and
> >  friend's machines too.
> >
> >  Mainly I was certifying myself of which ports I had left open after a
> >  _fresh_ install so, IMO, this is something related to nmap itself
> >  reporting such ports wrongly and not with any kind of h4x0r 4ct1v1ty.
> >  Perhaps, in some way, FreeBSD sends some kind of packet with options
> >  that make nmap report it that way. I really don't know.
> 
> BIND likes to use a port in area above 1024 for outgoing queries, so
> you're going to see nmap hit that pretty consistantly.  Other than that, I
> don't think you should be seeing any false positives.

It is _rarely_ going to be opening TCP sockets and when it does, it
will be the one initiating them so they will not appear open to a
connect() scan.

UDP false positives... Yeah, that can happen a lot.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message