Date: Tue, 6 Mar 2001 00:18:59 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Mike Silbersack <silby@silby.com> Cc: "Giovanni P. Tirloni" <tirloni@techie.com>, freebsd-security@FreeBSD.ORG Subject: Re: 31337 Message-ID: <20010306001859.B1367@cjc-desktop.users.reflexcom.com> In-Reply-To: <Pine.BSF.4.31.0103051919430.9821-100000@achilles.silby.com>; from silby@silby.com on Mon, Mar 05, 2001 at 07:22:41PM -0600 References: <Pine.BSF.4.33.0103052148300.15314-100000@mink.ath.cx> <Pine.BSF.4.31.0103051919430.9821-100000@achilles.silby.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 05, 2001 at 07:22:41PM -0600, Mike Silbersack wrote: > > On Mon, 5 Mar 2001, Giovanni P. Tirloni wrote: > > > Hi folks, > > > > Just to add some extra info I'd like to say that I've seen nmap reporting > > such open ports a lot of times while doing port scans on my machines and > > friend's machines too. > > > > Mainly I was certifying myself of which ports I had left open after a > > _fresh_ install so, IMO, this is something related to nmap itself > > reporting such ports wrongly and not with any kind of h4x0r 4ct1v1ty. > > Perhaps, in some way, FreeBSD sends some kind of packet with options > > that make nmap report it that way. I really don't know. > > BIND likes to use a port in area above 1024 for outgoing queries, so > you're going to see nmap hit that pretty consistantly. Other than that, I > don't think you should be seeing any false positives. It is _rarely_ going to be opening TCP sockets and when it does, it will be the one initiating them so they will not appear open to a connect() scan. UDP false positives... Yeah, that can happen a lot. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010306001859.B1367>