LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   nmap reports 5190/tcp to be open (https://www.linuxquestions.org/questions/linux-networking-3/nmap-reports-5190-tcp-to-be-open-664122/)

GSMD 08-20-2008 12:46 PM
nmap reports 5190/tcp to be open
 
Got a gentoo box, firewalled.
Code:
sh ~ # iptables -L
Chain INPUT (policy DROP)
target    prot opt source              destination
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    all  --  localhost            anywhere
ACCEPT    icmp --  anywhere            anywhere
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:ssh
ACCEPT    tcp  --  anywhere            anywhere            tcp dpt:http

Chain FORWARD (policy DROP)
target    prot opt source              destination

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination
fuser -n tcp 5190 doesn't report anything, neither does netstat -lnp. Still,
Code:
nmap -v myhost.mydomain # run this from another box
...
5190/tcp open  aol
...
Chkrootkit finds nothing suspicious. Tcpdump shows no activity over this port.
Any ideas how could this be?

P.S.
Code:

sh ~ # tcpdump port 5190
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
18:18:56.597679 IP 110-181-113-92.pool.ukrtel.net.3335 > my.slice.domain.aol: S 2231719593:2231719593(0) win 5808 <mss 1452,sackOK,timestamp 70335246[|tcp]>
18:18:59.593850 IP 110-181-113-92.pool.ukrtel.net.3335 > my.slice.domain.aol: S 2231719593:2231719593(0) win 5808 <mss 1452,sackOK,timestamp 70335846[|tcp]>

3 packets captured
3 packets received by filter
0 packets dropped by kernel
So packets actually get to the server not getting filtered by ISP or smth.

TIA.

marozsas 08-20-2008 03:51 PM
never mind, I didn't see your report about netstat....

GSMD 08-20-2008 03:57 PM
Ok, i've figured it out.
Code:
localhost ~ # nmap slicehost.com # this is from my box

Starting Nmap 4.53 ( http://insecure.org ) at 2008-08-20 23:04 UTC
Interesting ports on www.slicehost.com (67.207.128.80):
Not shown: 1709 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
1720/tcp filtered H.323/Q.931
5190/tcp open aol

sh ~ # nmap slicehost.com # from slice

Starting Nmap 4.53 ( http://insecure.org ) at 2008-08-20 20:08 UTC
Interesting ports on www.slicehost.com (67.207.128.80):
Not shown: 1711 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
Both are running the very same nmap on gentoo. I think it’s my dlink router that is causing the issue.
http://forum.slicehost.com/comments....cussionID=2249


All times are GMT -5. The time now is 09:14 PM.