From owner-freebsd-security Thu Nov 22 13:37:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.ihug.co.nz (smtp1.ihug.co.nz [203.109.252.7]) by hub.freebsd.org (Postfix) with ESMTP id 9040737B416 for ; Thu, 22 Nov 2001 13:37:13 -0800 (PST) Received: from geoff (p36-max5.wlg.ihug.co.nz [203.173.231.36]) by smtp1.ihug.co.nz (8.9.3/8.9.3/Debian 8.9.3-21) with SMTP id KAA07838; Fri, 23 Nov 2001 10:37:04 +1300 X-Authentication-Warning: smtp1.ihug.co.nz: Host p36-max5.wlg.ihug.co.nz [203.173.231.36] claimed to be geoff Message-ID: <007b01c1739d$b0673ca0$24e7adcb@lawn> From: "Geoff Lawn" To: "Mike Silbersack" Cc: References: <20011121222647.O2710-100000@achilles.silby.com> Subject: Re: Unknown transient service 1528/tcp Date: Fri, 23 Nov 2001 10:35:52 +1300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Mike, > Were you nmapping the machine nmap was running on? You sometimes catch > the port nmap is running the scan from when doing it that way, if I recall > correctly. Yes, I was running "nmap localhost". I did a sockstat while nmap was running, and it looks like nmap choses a random port to use for each sequential port test. So I guess it's possible nmap chose a random port to use to test the same port number, and thus saw the port as being open! Thanks for your help, Geoff > > On Thu, 22 Nov 2001, Geoff Lawn wrote: > > > Hi there, > > > > I regularly do an nmap on our server with the following results... > > > > Port State Service > > 21/tcp open ftp > > 22/tcp open ssh > > 25/tcp open smtp > > 110/tcp open pop-3 > > 443/tcp open https > > > > Recently I noticed the following service appear... > > 1528/tcp open mciautoreg > > > > I did another nmap a minute later and the service was no longer there. > > > > Does anyone know what this might be? > > Have I been hacked?? > > > > Thanks, > > Geoff > > > Mike "Silby" Silbersack > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message