Hello
nmap command structure (usually called documentation) can be found here : http://insecure.org/nmap/man/ I am not sure to understand the second question filtering can be done upwards, i.e. the ISP filters outgoing TCP 27765 to prevent Trinoo from spreading filtering can also be done by your gateway's ISP downwards, i.e. any incoming Trinoo packet is dropped this is not the same ISP so not the same routers and not the same configuration hping can help to find which router actually filters this port with something like this : hping2 --destport 27765 --syn --traceroute --tr-stop 1.2.3.4 where 1.2.3.4 is the cisco's IP HTH have a nice day Maxime -----Message d'origine----- De : Faheem SIDDIQUI [mailto:[EMAIL PROTECTED] Envoyé : 20 octobre, 2006 22:20 À : Maxime Ducharme Cc : [email protected] Objet : Re: nmap reveals trinoo_master on router Thanks Maxime Seems like this is the most probable cause as I have done portscans on machines internally and that hasn't revealed anything. While we are at it, I tried to find the nmap command line structure to only check for this port (27765) on my internal IP address range, but couldn't quite hit it so did full scans. What would be the nmap command structure (for future sake!) One mystery still exists. Yes! We have one sole ISP in the region and chances are that when I do this nmap from my home across to my target gateway, a lot of ISPs routers would fall thru the route and they might have been configured to drop this port but then, another router I know of , when I run nmap on it's serial, doesn't show this port Trinoo_Master in filtered state. For sure it's the same ISP's routers my second nmap also passes through and if it's ISP configuration, nmap to every router in the region should display this port..Correct? Maxime Ducharme wrote: > Some router between the scanner and the server drops packets > adresses to these ports, thats why you see them as filtered > > It is common pratices for ISPs since these ports arent used > by common net users > > I cannot tell if you system is compromised or not, > but this scan reveals nothing abnormal > > HTH > > Maxime Ducharme > > -----Message d'origine----- > De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De > la part de [EMAIL PROTECTED] > Envoyé : 18 octobre, 2006 07:36 > À : [email protected] > Objet : nmap reveals trinoo_master on router > > On my Cisco Router, I do a nmap scan from outside on the Internet. The > result is: > > " Interesting ports on *.*.50.1: > > Not shown: 1676 closed ports > PORT STATE SERVICE > 23/tcp filtered telnet > 135/tcp filtered msrpc > 1524/tcp filtered ingreslock > 27665/tcp filtered Trinoo_Master > > I am worried about the last two entries. The last nmap was done in Feb this > year and I have confirmed that the two port entries (tcp 1524/27665) did not > exist then. > Though the port state "filtered" is a solace but I am still concerned. How > can I be sure that the system has not been compromised? > > Also the current IOS Version of my Router 2811 is 12.4. It was the same case > with open ports when I was using older Router Series 1700 v 12.2, so I > thought maybe, it's an IOS issue and I upgraded my Router to 2811 with IOS v > 12.4 yesterday. But as soon as I plugged it into the circuit and did a > re-scan, I realised the nmap again gives the trinoo_master entry with state > as filtered. > > Where could lie the problem. Is it with my firewall (PIX 515) configuration > behind the router? > Please Advise!! > > I have seen Cisco's tech doc that exists here: > http://www.cisco.com/en/US/partner/tech/tk59/technologies_white_paper09186a0 > 080174a5b.shtml > > One of the solutions suggested therein is to implement "ip verify unicast > reverse-path" on the serial interface, but am not sure what will it serve? > Also, I suspect that I had other problems when I gave this command so I > reversed it. > > "sh process cpu" only shows cpu utilisation of about 5-6%. > Please advise!! > > ---------------------------------------------------------------------------- > -- > This List Sponsored by: Black Hat > > Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las > Vegas. > World renowned security experts reveal tomorrow's threats today. Free of > vendor pitches, the Briefings are designed to be pragmatic regardless of > your > security environment. Featuring 36 hands-on training courses and 10 > conference > tracks, networking opportunities with over 2,500 delegates from 40+ nations. > > > http://www.blackhat.com > ---------------------------------------------------------------------------- > -- > > > > ------------------------------------------------------------------------------ This List Sponsored by: Black Hat Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the Briefings are designed to be pragmatic regardless of your security environment. Featuring 36 hands-on training courses and 10 conference tracks, networking opportunities with over 2,500 delegates from 40+ nations. http://www.blackhat.com ------------------------------------------------------------------------------
