Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

nmap-dev logo Nmap Development mailing list archives

Phantom Windows ports 21, 389, 1002, 1720
From: Fyodor <fyodor () insecure org>
Date: Mon, 14 Apr 2003 12:17:14 -0700
In case anyone else has noticed phantom open ports on their Windows
machines which don't show up under netstat, this Microsoft KB Article
may provide the explanation.  Rather than signifying a trojan
installed by malicious parties, the phantom port symptoms may just be
an "Internet Connection Firewall feature".  See below:

----- Forwarded message from Simone Chemelli <Simone.Chemelli () serinf it> -----

Date: Sun, 13 Apr 2003 15:27:49 +0200
From: Simone Chemelli <Simone.Chemelli () serinf it>
To: fyodor () insecure org
Subject: Fw: Nmap 3.20: if you have time to explain why it behavies like this..SOLVED:-)

Sorry to have you loose time. I found by my-self the solution. Again 
sorry.


From MS knowledge db ( http://support.microsoft.com):



This article was previously published under Q315846 
SYMPTOMS
If you turn on the Internet Connection Firewall feature in Windows XP and 
you try to use Telnet to connect to any valid IP address on port 389, the 
Telnet connection appears to be made successfully, even if the host is not 
listening on that port. The output from the netstat command shows that no 
local service is listening on port 389. This behavior also occurs with 
ports 21, 1002, and 1720. This behavior does not occur if you do not turn 
on the Internet Connection Firewall feature. 
CAUSE
If the Internet Connection Firewall feature is on and you try to connect 
with Telnet to port 389, you actually connect to the local Lightweight 
Directory Access Protocol (LDAP) proxy that is part of the Firewall 
service.

Simone Chemelli
System integration

----- Forwarded by Simone Chemelli/serinf on 13/04/2003 15.28 -----
Simone Chemelli/serinf 13/04/2003 13.48

To fyodor () insecure org
Subject Nmap 3.20: if you have time to explain why it behavies like this...

Hi Fyodor.

I'm using your nmap 3.20 under Suse 8.1 and kernel 2.4.19.
The strange thing is that it says that 3 tcp ports are open ( 389, 1002 
and 1720 ), on all my hosts.
they are on different subnets with different firewall protecting them, so 
it sound strange to me that they all have those ports opened.
The command I used was:

[ Cut ]

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).

  By Date           By Thread  

Current thread:
  • Phantom Windows ports 21, 389, 1002, 1720 Fyodor (Apr 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]