OK quick question... sometimes when i randomly nmap my machine there are weird ports open, which right after i nmap the machine are closed. Today for example i ran nmap and got
(The 1549 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
113/tcp open auth
515/tcp open printer
1380/tcp open telesis-licman
10000/tcp open snet-sensor-mgmt


and then i reran the scan less then 5 seconds after the completion of the other scan and i got

(The 1549 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
113/tcp open auth
515/tcp open printer
10000/tcp open snet-sensor-mgmt


I assume this is a security problem b/c I have no idea what these new ports are and i have no use for them. The other time that i noticed this happening the "service name" was genie. I dont remeber if the port # was the same.

found another strange port that was open for a moment and then closed the next:

1520/tcp open atm-zip-office


weird stuff

It could be either your traffic that is generating those results if it is one of the more exotic scan options.

It could be some weird guy spoffing and ACK if it is a SYN scan.

Or it is a rootkit that uses port knocking or a time based mechanism. Check for a raw socket on that computer and have a look at the logs. Although it would be pretty stupid to set the hidden comunication port in one of the ports that nmap scans by default.

Try also extending the port range to cover the whole port range. Or do a netstat -a, that shows what is open at the moment. Assuming the rootkit doesn't mess with the result.

The port 10000 is webmin, you may _really_ want to investigate that if you did not install it on your machine.

thanks for the replies

first: I know webmin is running on 10000. I have installed it to make configuring ssh, apache, and mysql a little easier.

second: i installed chkrootkit from apt-get and it did not notice any sort of root kits.

third: i ran netstat, it seems all normal.

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 debianBox:ssh windowsMachine:3704 ESTABLISHED
tcp 0 0 *:10000 *:* LISTEN
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
udp 0 0 *:10000 *:*
udp 0 0 *:bootpc *:*
raw 0 0 *:icmp *:* 7
raw 0 0 *:tcp *:* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 97 /dev/log
unix 1 [ W ] STREAM CONNECTED 15692
unix 1 [ ] STREAM CONNECTED 15691
unix 0 [ ] DGRAM 1763
unix 0 [ ] DGRAM 101

since all this stuff seems normal.. is my best solution to get iptables up and running??

wtf squid-http????



i have uninstalled internet service that i had that was using a port.. ideally i only want 22 open for ssh.


Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Strange read error from debianBoxIP (104): Operation now in progress
Strange read error from debianBoxIP (104): Operation now in progress
Strange read error from debianBoxIP (104): Operation now in progress
Interesting ports on debianBoxIP (debianBoxIP):
(The 64995 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
113/tcp open auth
3128/tcp open squid-http
3646/tcp open unknown
4155/tcp open unknown


also if you look at:


Nmap run completed -- 1 IP address (1 host up) scanned in 9 seconds
me@Debian:~$ ps -aux
Bad syntax, perhaps a bogus '-'?
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.3 1272 488 ? S Oct01 0:07 init [2]
root 2 0.0 0.0 0 0 ? SW Oct01 0:00 [kflushd]
root 3 0.0 0.0 0 0 ? SW Oct01 0:05 [kupdate]
root 4 0.0 0.0 0 0 ? SW Oct01 0:00 [kswapd]
root 5 0.0 0.0 0 0 ? SW Oct01 0:00 [keventd]
root 119 0.0 0.6 2164 844 ? S Oct01 0:00 /sbin/dhclient-2.
root 173 0.0 0.6 2036 780 ? S Oct01 0:04 /sbin/syslogd
root 176 0.0 0.7 1716 920 ? S Oct01 0:00 /sbin/klogd
root 184 0.0 0.5 1988 704 ? S Oct01 0:00 /usr/sbin/inetd
root 196 0.0 0.9 2784 1208 ? S Oct01 0:00 /usr/sbin/sshd
root 203 0.0 0.5 1652 684 ? S Oct01 0:00 /usr/sbin/cron
root 210 0.0 0.3 1252 468 tty1 S Oct01 0:00 /sbin/getty 38400
root 211 0.0 0.3 1252 468 tty2 S Oct01 0:00 /sbin/getty 38400
root 212 0.0 0.3 1252 468 tty3 S Oct01 0:00 /sbin/getty 38400
root 213 0.0 0.3 1252 468 tty4 S Oct01 0:00 /sbin/getty 38400
root 214 0.0 0.3 1252 468 tty5 S Oct01 0:00 /sbin/getty 38400
root 215 0.0 0.3 1252 468 tty6 S Oct01 0:00 /sbin/getty 38400
root 3543 0.0 0.5 2044 744 ? S 06:47 0:00 /usr/sbin/lpd
root 4012 0.1 1.4 6396 1884 ? S 13:13 0:00 /usr/sbin/sshd
me 4014 0.1 1.5 6404 1968 ? S 13:13 0:00 /usr/sbin/sshd
me 4015 0.0 0.9 2212 1220 pts/0 S 13:13 0:00 -bash
identd 4020 0.0 0.5 11732 688 ? S 13:14 0:00 identd
identd 4021 0.0 0.5 11732 688 ? S 13:14 0:00 identd
identd 4022 0.0 0.5 11732 688 ? S 13:14 0:00 identd
identd 4023 0.0 0.5 11732 688 ? S 13:14 0:00 identd
identd 4024 0.0 0.5 11732 688 ? S 13:14 0:00 identd
identd 4025 0.0 0.5 11732 688 ? S 13:14 0:00 identd
identd 4026 0.0 0.5 11732 688 ? S 13:14 0:00 identd
me 4029 0.0 0.9 3160 1244 pts/0 R 13:14 0:00 ps -aux
me@Debian:~$

its all quiet on the western front..........