Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What I know: this machine is not too secure...
What I don't know: what are those protocols...
Code:
Starting nmap 3.27 ( www.insecure.org/nmap/ ) at 2003-09-07 21:56 EEST
Interesting ports on 172.16.3.20:
(The 1603 ports scanned but not shown below are in state: closed)
Port State Service
7/tcp open echo
9/tcp open discard
13/tcp open daytime
17/tcp open qotd
19/tcp open chargen
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1030/tcp open iad1
1032/tcp open iad3
2105/tcp open eklogin
3389/tcp open ms-term-serv
5000/tcp open UPnP
5101/tcp open admdog
Nmap run completed -- 1 IP address (1 host up) scanned in 3.521 sec
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Quote:
5000 is used by Back Orifice and NetBus.
Ummmmm??? BO normally uses 31337 and NetBus uses 12345 and 12346 by default. Of course they can be made to run on any port. On a Windows machine 5000 is just what nmap said, UPnP.
I don't know what the point of the original post is, though... Congratulations, you found a networked host that appears (notice I said "appears") to be very insecure. It's not like those don't abound on the Internet (1,500,000 machines compromised by MS Blaster).
For one thing, that's a non-routable IP so it's obviously on an Internal network. Sure it's not a good idea to run all those services, but they're probably not reachable from the Internet (firewall?). Another remote possibility is that it's a honeypot and just pretending to have those services running. You wouldn't know unless you actually tried something against it.
If you're not responsible for that host, move along. If you are, I certainly hope you know how to disable all those unnessecary services.
The thing is that this machine is owned by someone I know personally in the intranet. I was wondering what are those services and why is he running them?
Espacially iad1 and iad3..... and I was expecting some links so that I could read about the services I see here....
Chort how did you realised that this machine is on an internal network? squid absent? Please give links so that I can . And after I won't and act like a total that I am.
The way we know it is on an internal network is because of the subnet (xxx.xxx. ... ...). Any ip address that has the range 172.xxx.xxx.xxx or 10.xxx.xxx.xxx or 192.xxx.xxx.xxx is on the internal side of a network. That is where the router comes in. What it does is take your external address (say, if you have comcast, like 67.170.xxx.xxx) and splits it, into, you guesed it, the internal addresses. Make sense? Enjoy, and tell your friend to stop using windows and join the free world!
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Close, but incorrect. Only the 10. (pronunced "ten dot") network is a /8 (used to be called "Class A"). The private range of 172.16. is a /12, and 192.168 is a /16. Confused yet?
Start with RFC1918, which specifies some reserved networks for private use (these routes are not advertised to the Internet). Next, wikipedia has a somewhat useful explanation of CIDR, although some Googling will probably reveal something more helpful.
So what is my point? Not every thing that matches 172.*.*.* is actually a private IP. In fact, a large number of 172. addresses belong to AOL. 192. isn't all private, either--in fact only 1/255th of it is (roughly speaking).
Good point chort, guess I should be a little more clear Wouldn't want somebody to give their computer an address like 172.140.184.xxx and get really, really confused.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.