Firewall Wizards mailing list archives

Strange open ports on windows machines

From: Christoph Schneeberger <cschnee () telemedia ch>
Date: Thu, 21 Oct 1999 20:33:43 +0100

Hi,

I'm sorry if this is complete stupid but I can't explain what's going on.

While scanning a customers public corporate website (on request) with nmap
(2.3BETA6 and 2.02) I found the following open ports:
Port    State       Protocol  Service
21      open        tcp       ftp                     
25      open        tcp       smtp                    
80      open        tcp       http                    
135     open        tcp       loc-srv                 
139     open        tcp       netbios-ssn             
443     open        tcp       https                   
465     open        tcp       smtps                   
1027    open        tcp       unknown                 
1030    open        tcp       iad1                    
12345   filtered    tcp       NetBus   

and udp:
Port    State       Protocol  Service
135     open        udp       loc-srv                 
137     open        udp       netbios-ns              
138     open        udp       netbios-dgm             
31337   open        udp       BackOrifice  

Nothing special yet, netbus and bo happen to be on many pc's ;-)
The server is nt4 sp4 german with IIS 4 installed.

I then went with the customer through the following procedures:

-Connected with telnet to port 12345 of that machine and expected a banner
        No luck (probably it has IP restrictions, a feature of netbus)
-Checking Registry and Disk for known malicious executables
        No luck
-Checking services and running process for unknown things
        Nothing strange or special (screenshot available)
-Installing Norman Data Defense AntiVirus with latest definitions
        Nothing found
-Removing Norman and installing the latest Norton Antivirus for NT with
latest definitions
        Nothing found
-Running netstat -an on the server in question
        The two ports 12345 tcp and 31337 udp where not shown, all other listening
services were shown as expected.
-installing Back Orificer Friendly from http://www.nfr.net/bof/ on the
server (I hoped it would complain not being able to listen to 31337 udp)
        Started and did not complain
-I then connected to the server with 'netcat -u 31337' and typed some
random chars which should normally trigger bof to pop-up and notify the user
        Nothing happened, all other ports like i.e. pop3 triggered bof immediately

So, am I missing a chapter or does this look like something really strange ? 
What next steps would one take now ?

I really appreciate any help or hint.

Cheers,
Christoph Schneeberger
SCS Telemedia

Current thread:

Strange open ports on windows machines Christoph Schneeberger (Oct 21)
- Re: Strange open ports on windows machines Michael H. Warfield (Oct 23)
  - Re: Strange open ports on windows machines Kaptain (Oct 25)
    - Re: Strange open ports on windows machines Michael H. Warfield (Oct 25)
    - Re: Strange open ports on windows machines David LeBlanc (Oct 26)
    - whoops David LeBlanc (Oct 27)
    - Re: Strange open ports on windows machines Arnd Vehling (Oct 28)
- Re: Strange open ports on windows machines Thomas Lopatic (Oct 25)
- Re: Strange open ports on windows machines Matt Carothers (Oct 25)
- Re: Strange open ports on windows machines Mikael Olsson (Oct 25)
- <Possible follow-ups>
- RE: Strange open ports on windows machines Russ (Oct 25)

(Thread continues...)