Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos network security services platform







Security Incidents: strange, strange stuff

strange, strange stuff

From: Max Gribov <max_at_DATATWIRL.YI.ORG>
Date: Mon, 26 Mar 2001 19:22:18 -0500

I did my weekly sweep of my machine, which involves portscans, log
reviews, etc, and during nmap'ing i came across this:

four consequtive nmaps below:

--------------------------------
Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
Strange read error from 127.0.0.1 (104): Operation now in progress
Strange read error from 127.0.0.1 (104): Operation now in progress
Strange read error from 127.0.0.1 (104): Operation now in progress
Interesting ports on localhost (127.0.0.1):
(The 65494 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
113/tcp open auth
1918/tcp open unknown
2643/tcp open unknown
4986/tcp open unknown
6000/tcp open X11

--------------------------------
Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
Strange read error from 127.0.0.1 (104): Operation now in progress
Interesting ports on localhost (127.0.0.1):
(The 65496 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
113/tcp open auth
2538/tcp open unknown
6000/tcp open X11

--------------------------------
Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
Strange read error from 127.0.0.1 (104): Operation now in progress
Interesting ports on localhost (127.0.0.1):
(The 65496 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
113/tcp open auth
3691/tcp open unknown
6000/tcp open X11

---------------------------------
Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )
Strange read error from 127.0.0.1 (104): Operation now in progress
Strange read error from 127.0.0.1 (104): Operation now in progress
Interesting ports on localhost (127.0.0.1):
(The 65495 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
113/tcp open auth
2913/tcp open unknown
3765/tcp open unknown
6000/tcp open X11

As you can see, in each portscan "Strange read error from 127.0.0.1
(104): Operation now in progress" error was recieved as well as a strange
"opened" port, number of which seem to correspond to number of the above
error messages. If i telnet to the port, i get "connection refused", and
nothing shows up on netstat/lsof.
Has anyone ever seen anything like this? Can anyone suggest some
tool/technique to find out what is exactly going on on my machine?

Thanks in advance,

Max_
Received on Mar 27 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]