Praedor
Thanks for the quick reply
The machines is using @home (cable modem connection).
I will get him to check the /var/log/security file on his machine.
That should give us the name of the program that is using that port.
I was more worried if that there was a security hole/breakin.
Thanks
Dany Allard
Praedor Tempus wrote:
> One thing about nmap... depending on the scan type, it will show you a port
> number, protocol, it's state and then give a name for a common service that
> uses that port. It doesn't mean that the port is actually making use of that
> port.
>
> So, if nmap gets a response during it's scan from port 31337, then it will
> provide you with the above information and provide a name for some service
> that COULD use that port. It doesn't mean that it IS using that port.
>
> I did a scan of my local school network last year with nmap. On just about
> every windoze box it detected, it indicated port "31337/tcp open
> Backorifice". I notified the school IT guys and they looked into it and I
> also asked Fyoder (the maintainer/creator of nmap) about it. He indicates
> essentially what I said. If a port gives some sort of nmap-understandable
> reply, then nmap will identify the port and give you the name of a service
> that may use that port.
>
> If I have port 21 open on my system, even if I am NOT running an ftp server,
> and scan it with nmap, it will list "ftp" as the service associated with that
> port.
>
> In any case, it is EXTREMELY unlikely that someone would have hacked into
> your friend's system so soon after an install and setup. The attacker would
> first need reconnoiter the system and then, perhaps, run a few apps/scripts
> (a script kiddie activity) that exploit commonly known vulnerabilities. Once
> in, the kiddie then uploads some files, etc. This takes at least SOME time.
>
> What sort of connection does this system use? DHCP on DSL? Static IP on
> DSL? Phone? Connected via a LAN?
>
> On Wednesday 07 February 2001 10:08, dany allard you wrote:
> > A friend of mine just setup his firewall with a striped down version of
> > Mandrake 7.2 using rc.firewall.
> >
> > The strange thing is that when I scan the machine (nmap) I see the
> > following port open.
> >
> > 31337/tcp filtered Elite
> >
> > The only use I know for that port is for back doors.
> [...]
>
> --
> Against stupidity, the gods themselves contend in vain.
