From owner-freebsd-security Thu May 30 0:19:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from chaos.evolve.za.net (chaos.evolve.za.net [196.34.172.107]) by hub.freebsd.org (Postfix) with ESMTP id 221C437B400 for ; Thu, 30 May 2002 00:19:39 -0700 (PDT) Received: from amavis by chaos.evolve.za.net with scanned-ok (Exim 3.34 #1) id 17DKDf-0007Oq-00 for freebsd-security@FreeBSD.ORG; Thu, 30 May 2002 09:19:35 +0200 Received: from [192.168.0.56] (helo=DAVE) by chaos.evolve.za.net with smtp (Exim 3.34 #1) id 17DKDd-0007OT-00; Thu, 30 May 2002 09:19:34 +0200 Message-ID: <009801c207aa$7c4003c0$3800a8c0@DAVE> From: "Dave Raven" To: "nathan skains" , References: <000001c20789$f19ff060$6301a8c0@visp> <006101c2079b$96528170$0200a8c0@logical> Subject: Re: Nmap /w snort Date: Thu, 30 May 2002 09:20:31 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 X-Virus-Scanned: by Opteq - www.optec.co.za Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org is 192.168.0.5 the box? That might be the problem, scanning yourself is no good. Fix the nmap problem by making more bpf devices. cd /dev/ && sh ./MAKEDEV bpf4 bpf5 bpf6 Does that port change? Or always stay the same? check sockstat. check netstat. --Dave. ----- Original Message ----- From: "nathan skains" To: Sent: Thursday, May 30, 2002 7:33 AM Subject: Nmap /w snort > i am having a similar problem earlier today i did a scan on my system and go > the following results. later i ran another scan and got another weird port > open, i am concerned with a comprimise. > Starting nmap V. 2.54BETA34 ( www.insecure.org/nmap/ ) > > Interesting ports on (192.168.0.5): > > (The 1545 ports scanned but not shown below are in state: closed) > > Port State Service > > 21/tcp open ftp > > 22/tcp open ssh > > 25/tcp open smtp > > 80/tcp open http > > 110/tcp open pop-3 > > 113/tcp open auth > > 587/tcp open submission > > 1492/tcp open stone-design-1 << concern about this port being open > > 3306/tcp open mysql > > 6667/tcp open irc > > 6668/tcp open irc > > when i try an nmap as root i get this error > > Starting nmap V. 2.54BETA34 ( www.insecure.org/nmap/ ) > pcap_open_live: (no devices found) /dev/bpf4: No such file or directory > There are several possible reasons for this, depending on your operating > system: > LINUX: If you are getting Socket type not supported, try modprobe af_packet > or recompile your kernel with SOCK_PACKET enabled. > *BSD: If you are getting device not configured, you need to recompile your > kernel with Berkeley Packet Filter support. If you are getting No such file > or directory, try creating the device (eg cd /dev; MAKEDEV ; or use > mknod). > SOLARIS: If you are trying to scan localhost and getting '/dev/lo0: No such > file or directory', complain to Sun. I don't think Solaris can support > advanced localhost scans. You can probably use "-P0 -sT localhost" though. > > but if i throw options in like -P0 -sT it works go figure. > any ideas would be greatly appreicated. > > Nathan > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message