Re: [FUG-BR] Analise de Portas de Firewall

2006-11-08 Por tôpico Celso Viana
Em 08/11/06, Cristina Fernandes Silva[EMAIL PROTECTED] escreveu:
 Galera,

 Estou analisando um Firewal de uma empresa que
 trabalha um amigo, encontrei isso atraves do nmap

 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ )
 at 2006-11-08 10:52 BRT
 Interesting ports on XXX.XXX.XXX.XXX:
 Not shown: 1640 closed ports, 31 filtered ports
 PORT STATE SERVICE VERSION
 22/tcp   open  ssh OpenSSH 3.9p1 (protocol
 2.0)
 80/tcp   open  http-proxy  Squid webproxy
 2.5.STABLE6
 82/tcp   open  httpApache httpd 2.0.48
 ((Unix) PHP/4.3.5RC4-dev)
 83/tcp   open  httpMicrosoft IIS webserver
 5.0
 89/tcp   open  httpMicrosoft IIS webserver
 6.0
 987/tcp  open  unknown
 1987/tcp open  tr-rsrb-p1?
 3128/tcp open  http-proxy  Squid webproxy
 2.5.STABLE6
 5010/tcp open  telelpathstart?
 2 services unrecognized despite returning data. If you
 know the service/version, please submit the following
 fingerprints at
 http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
 ==NEXT SERVICE FINGERPRINT (SUBMIT
 INDIVIDUALLY)==
 SF-Port987-TCP:V=4.11%I=7%D=11/8%Time=4551E11F%P=i386-portbld-freebsd6.1%r
 SF:(NULL,8,2\xd5!i3\x01\x83\x07)%r(GenericLines,36,2\xd5!i3\x01\x83\x07
 SF:\xa7\xffBM\xfe\xf0\$\xe5\+\xa0Z\xdc\xdc\xbch\xe7\xf9S6\xbaP\xb3e\xfd\x
 SF:ab\xc6\xf1\xd1\^\x1cT\xaeP\xe0\r\xec2\xa7\xbet\xc4t\$\xbeB)%r(GetReque
 SF:st,40,\xfe\xa8!i\xe3\x7f\x83\x07\xa7\x9e\xee\x7f\xecG\x92\x12\xd2\xe9w
 SF:5\x12\x16\xed\xf2#\xeeA\*\xc2\xe72F\xcb\xe3\(\xb7\x0c\x1f\xc5\(\x03\xb2
 SF:\xfe\x1d\xd7\xdf\xed9nE\xb9\xad\x87p\x1f\x8c2\xees\x1aT\.=\x0b)%r(HTTP
 SF:Options,37,\xf3\xaa!i\xff\x7f\x83\x07E\x1a\xbc1\xc2\xf1\xae\xf7yD\x83\
 SF:xffC\xbd\x84\t\xe3\xdcA\x06\x1e\)h\xca\x822\xb5\xbf\xf3o\x88\x82\xb0\xa
 SF:4P\xe5C\xd9\xe0\xf2\xc1\x19\xb9\x86\xbcc#)%r(RTSPRequest,52,\xe7\xac!
 SF:i\xfb\x7f\x83\x07\x1d\xe1\xc54\xcf\x87\xf6\xb7\x15\x936\xa6\xed4\xe1-\x
 SF:df\xf3\x1f\x1f\x16\xc7\xb6\xb5A\xd5\n\x9e\xdf\x87\xcc\xd5\xb5\xdf\xa0\x
 SF:089\xc3\xa2\x02nWd\xb4\xf8\)\x7f\+\xad\xbb\x88S%\xd4!\x1a\xd9A\xa2\xcbw
 SF:\x15{\xbfH\x977\x8e\xf7F\xfa\xc7=\xa1)%r(RPCCheck,5D,\xdc\xae!i\x8f\x
 SF:7f\x83\x07U\xc0\x9d\xdb\xe1\xc8\xef\xea3J\nT\xbe\xe9\xd9\x16\xd8\xe5Q\x
 SF:bb\xeb\xc6\xcf\x88Y\|\xbf\xe0\xe7\x15\xf1{\xd6;\x8e\xdbZ\x8f\x0b\x7f\|\
 SF:xaf\xd4p\x18\x8c\xc9,3\x9a\x0f\xe8\xc6\xf1k\x97{k\x17\x8b\x13\xeb\xb2\r
 SF:\x8c\x16\x1cz\xc9\xd8\xda\xa9d\xd7\xdaH\xfc\x08x\xb8c\x05\x982\x0c)%r(
 SF:DNSVersionBindReq,50,\xd0\xa0!i\x8a\x7f\x83\x07\xb9\x1b\x8a\x8c\xedC\x
 SF:e3/\t\xc3\n\xff\xec46c\xf6\xe0\x20\xe8\xb7\x13\n%\xe4\x9eA\xad\xd2\xe4Q
 SF:\xf6!Cd\^Ir\xfa!V9\x7f\x938I\x89Zn\xbe\x9e}\x05\x84J\xb4\xc9D\x1bB!\xc5
 SF:N\x16w\x81\xc6\x85\x1e5\xabW)%r(DNSStatusRequest,3C,\xc4\xa2!i\x86\x7
 SF:f\x83\x07\x1b\xf3N\xdfG\x03\xa9\xde\xff\x9e{k\x80\xe0\xe6\xfaH7z\x9e\xc
 SF:a\x8e\xbal\xafwz`\x87_\x06\x04\xa7\xc6\x8c\xf5\xbd\xd5\xbc\xd9J\xa4\x10
 SF:\xdfSXk\xa0\xa5\xda\xd0a)%r(Help,35,9\xa5!i\x82\x7f\x83\x07\x8c\x0f%\
 SF:xa5\xb7\x15g\x99\xfa\xc07\x9b\xe1\x94\xdf\xf0\x8b\x20\xf8\xe6`\xb6\xf57
 SF:\x11Pkxq\xf0\xa5\xa0\xaa\xb7\xbc\x02\xc1\n:SV7!\x08\xa0)%r(SSLSessionR
 SF:eq,7F,'\xa6!i\x9b\x7f\x83\x07\x1a2\xe8\xf9K\xa5\xfb\?\x05\x1eJ_\xa6\xb
 SF:a\x93\xf9\x8d\x20\x81\xfeH\*'\x0fb\xe1\xb3P\xaaK\xd3b\x0eUS\xe1zox\x98\
 SF:xf9\xff\x87cS5\xeb\xb1p\xa3\x20\\3\x1a\xa3X6\x06\)O\xc9\xd5\x19\xd6\xcc
 SF:\xc8\xd9h\xc9\x0c\xa8\x8e\x16\x93\xaa\xd8\xa0\xe79\x05\xb7\x0f\x01\x01~
 SF:\xee\xf0\xc3\x7fE\x80\x99\xb0\xe6\|\x07\xe2\xec\x18\xac\?F\xe7\xea\x9d
 SF:n\x94\xd6\x02\xdfw\x04\x12t\xf1\xf5#);
 ==NEXT SERVICE FINGERPRINT (SUBMIT
 INDIVIDUALLY)==
 SF-Port1987-TCP:V=4.11%I=7%D=11/8%Time=4551E11F%P=i386-portbld-freebsd6.1%
 SF:r(NULL,8,O\xe8\+m\xa5m\x83\x07)%r(GenericLines,37,O\xe8\+m\xa5m\x83\
 SF:x07g\xbf\xebX\xc9!TFi\x1bkC\x03t\xfa\xf9\x16\xc7\xbc\\\xc4\xa9m\xd1\x
 SF:05\xd1\xf5\xb4W\xc3\x20\x16\xf6\xc0\x9c\^Kc\x18\xd2\[W\x9aT\xbc)%r(Get
 SF:Request,41,\xd3\xef\+m\xbem\x83\x07\xac\x16\x930J\xaa\xf4\x95\xb3H\xe8
 SF:6\\xcf\xb0hu\xb2\xdf\x0bdfo\xa7U\xa5\xf4\n;;\xb9\xf0\xbf}\x83\xa9o`\xd
 SF:0D\xe6j{\xcd{6\xae-\xe9\?\x87,\x9d`\xa5\xbd~)%r(HTTPOptions,39,\x80\x
 SF:e1\+m\xbam\x83\x07\xa6\x16\xb0\xab\x9fa\rLnx\xfd\xac\x1bGN4\(\x03\xdc\x
 SF:db\xfc\(\xfa\$\x1d\x1c\xe03\$\x08\xc1\xaa9\xf7g\xf8\xf5\x1b_K\x99\xb5\x
 SF:03\x13\x81\xb6\xa4b\x0f)%r(RTSPRequest,52,\xb2\xe3\+m\xb6m\x83\x07\x1
 SF:[EMAIL PROTECTED](\x83j\x11a\[dS\x10\\\)\xba\x9a\xa65D\xf3\xbd=\
 SF:xca\xec\xc7\xd5\xfc\G\xf1\xfe\x96\xf3\xb9\x10\xd9k\$p\xb3\x8e\xa3\xb2\
 SF:x88\x96\xa9Wh\xed\x88\x80\x83\xc5\x16\xdf\xd6\xc2\xb3\xc0\xdaL\xa36\x9a
 SF:\xbf\x07_z\xf8)%r(RPCCheck,5B,\]\xe5\+mOm\x83\x07:}}\x8fq=LrL\x8b\xe7
 SF:\xa6\xa3\xbeRB\xc1%f\xc8\x1f\xa8\xe5\xc9Y\\xd5\x8a\)\xa7K\x8a\xaenb\x9
 SF:0\xdcD\x11\xbbN\x10h\xa9\xde\xb9_\x1e\x94\xcd\x18wi\x16\x89%\xf3;\x03\x
 SF:8e\xa7\x9a\x18\xccJ\xfc\x1fZ\xeb0\xb3\+U\xc4\\x20H\xd1\x0e\xfb\x10J\n
 SF:)%r(DNSVersionBindReq,4F,-\xe7\+mGm\x83\x07\xe9O\x08\xffw\x01\x0b\x8b4
 

Re: [FUG-BR] Analise de Portas de Firewall

2006-11-08 Por tôpico Marcello Costa
Significa que tem alguma coisa escutando essas portas , no caso da
plataforma pode ser desde um trojanzinho até uma aplicação qualquer que
faça update via rede.

Mas pra mim estranho são dois squid e 3 webservers em portas
diferentes .

1987 :
http://publique.rdc.puc-rio.br/rdc/cgi/cgilua.exe/sys/start.htm?infoid=194sid=26tpl=printerview

Em Qua, 2006-11-08 às 13:13 -0300, Cristina Fernandes Silva escreveu:
 Galera,
 
 Estou analisando um Firewal de uma empresa que
 trabalha um amigo, encontrei isso atraves do nmap
 
 Starting Nmap 4.11 ( http://www.insecure.org/nmap/ )
 at 2006-11-08 10:52 BRT
 Interesting ports on XXX.XXX.XXX.XXX:
 Not shown: 1640 closed ports, 31 filtered ports
 PORT STATE SERVICE VERSION
 22/tcp   open  ssh OpenSSH 3.9p1 (protocol
 2.0)
 80/tcp   open  http-proxy  Squid webproxy
 2.5.STABLE6
 82/tcp   open  httpApache httpd 2.0.48
 ((Unix) PHP/4.3.5RC4-dev)
 83/tcp   open  httpMicrosoft IIS webserver
 5.0
 89/tcp   open  httpMicrosoft IIS webserver
 6.0
 987/tcp  open  unknown
 1987/tcp open  tr-rsrb-p1?
 3128/tcp open  http-proxy  Squid webproxy
 2.5.STABLE6
 5010/tcp open  telelpathstart?
 2 services unrecognized despite returning data. If you
 know the service/version, please submit the following
 fingerprints at
 http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
 ==NEXT SERVICE FINGERPRINT (SUBMIT
 INDIVIDUALLY)==
 SF-Port987-TCP:V=4.11%I=7%D=11/8%Time=4551E11F%P=i386-portbld-freebsd6.1%r
 SF:(NULL,8,2\xd5!i3\x01\x83\x07)%r(GenericLines,36,2\xd5!i3\x01\x83\x07
 SF:\xa7\xffBM\xfe\xf0\$\xe5\+\xa0Z\xdc\xdc\xbch\xe7\xf9S6\xbaP\xb3e\xfd\x
 SF:ab\xc6\xf1\xd1\^\x1cT\xaeP\xe0\r\xec2\xa7\xbet\xc4t\$\xbeB)%r(GetReque
 SF:st,40,\xfe\xa8!i\xe3\x7f\x83\x07\xa7\x9e\xee\x7f\xecG\x92\x12\xd2\xe9w
 SF:5\x12\x16\xed\xf2#\xeeA\*\xc2\xe72F\xcb\xe3\(\xb7\x0c\x1f\xc5\(\x03\xb2
 SF:\xfe\x1d\xd7\xdf\xed9nE\xb9\xad\x87p\x1f\x8c2\xees\x1aT\.=\x0b)%r(HTTP
 SF:Options,37,\xf3\xaa!i\xff\x7f\x83\x07E\x1a\xbc1\xc2\xf1\xae\xf7yD\x83\
 SF:xffC\xbd\x84\t\xe3\xdcA\x06\x1e\)h\xca\x822\xb5\xbf\xf3o\x88\x82\xb0\xa
 SF:4P\xe5C\xd9\xe0\xf2\xc1\x19\xb9\x86\xbcc#)%r(RTSPRequest,52,\xe7\xac!
 SF:i\xfb\x7f\x83\x07\x1d\xe1\xc54\xcf\x87\xf6\xb7\x15\x936\xa6\xed4\xe1-\x
 SF:df\xf3\x1f\x1f\x16\xc7\xb6\xb5A\xd5\n\x9e\xdf\x87\xcc\xd5\xb5\xdf\xa0\x
 SF:089\xc3\xa2\x02nWd\xb4\xf8\)\x7f\+\xad\xbb\x88S%\xd4!\x1a\xd9A\xa2\xcbw
 SF:\x15{\xbfH\x977\x8e\xf7F\xfa\xc7=\xa1)%r(RPCCheck,5D,\xdc\xae!i\x8f\x
 SF:7f\x83\x07U\xc0\x9d\xdb\xe1\xc8\xef\xea3J\nT\xbe\xe9\xd9\x16\xd8\xe5Q\x
 SF:bb\xeb\xc6\xcf\x88Y\|\xbf\xe0\xe7\x15\xf1{\xd6;\x8e\xdbZ\x8f\x0b\x7f\|\
 SF:xaf\xd4p\x18\x8c\xc9,3\x9a\x0f\xe8\xc6\xf1k\x97{k\x17\x8b\x13\xeb\xb2\r
 SF:\x8c\x16\x1cz\xc9\xd8\xda\xa9d\xd7\xdaH\xfc\x08x\xb8c\x05\x982\x0c)%r(
 SF:DNSVersionBindReq,50,\xd0\xa0!i\x8a\x7f\x83\x07\xb9\x1b\x8a\x8c\xedC\x
 SF:e3/\t\xc3\n\xff\xec46c\xf6\xe0\x20\xe8\xb7\x13\n%\xe4\x9eA\xad\xd2\xe4Q
 SF:\xf6!Cd\^Ir\xfa!V9\x7f\x938I\x89Zn\xbe\x9e}\x05\x84J\xb4\xc9D\x1bB!\xc5
 SF:N\x16w\x81\xc6\x85\x1e5\xabW)%r(DNSStatusRequest,3C,\xc4\xa2!i\x86\x7
 SF:f\x83\x07\x1b\xf3N\xdfG\x03\xa9\xde\xff\x9e{k\x80\xe0\xe6\xfaH7z\x9e\xc
 SF:a\x8e\xbal\xafwz`\x87_\x06\x04\xa7\xc6\x8c\xf5\xbd\xd5\xbc\xd9J\xa4\x10
 SF:\xdfSXk\xa0\xa5\xda\xd0a)%r(Help,35,9\xa5!i\x82\x7f\x83\x07\x8c\x0f%\
 SF:xa5\xb7\x15g\x99\xfa\xc07\x9b\xe1\x94\xdf\xf0\x8b\x20\xf8\xe6`\xb6\xf57
 SF:\x11Pkxq\xf0\xa5\xa0\xaa\xb7\xbc\x02\xc1\n:SV7!\x08\xa0)%r(SSLSessionR
 SF:eq,7F,'\xa6!i\x9b\x7f\x83\x07\x1a2\xe8\xf9K\xa5\xfb\?\x05\x1eJ_\xa6\xb
 SF:a\x93\xf9\x8d\x20\x81\xfeH\*'\x0fb\xe1\xb3P\xaaK\xd3b\x0eUS\xe1zox\x98\
 SF:xf9\xff\x87cS5\xeb\xb1p\xa3\x20\\3\x1a\xa3X6\x06\)O\xc9\xd5\x19\xd6\xcc
 SF:\xc8\xd9h\xc9\x0c\xa8\x8e\x16\x93\xaa\xd8\xa0\xe79\x05\xb7\x0f\x01\x01~
 SF:\xee\xf0\xc3\x7fE\x80\x99\xb0\xe6\|\x07\xe2\xec\x18\xac\?F\xe7\xea\x9d
 SF:n\x94\xd6\x02\xdfw\x04\x12t\xf1\xf5#);
 ==NEXT SERVICE FINGERPRINT (SUBMIT
 INDIVIDUALLY)==
 SF-Port1987-TCP:V=4.11%I=7%D=11/8%Time=4551E11F%P=i386-portbld-freebsd6.1%
 SF:r(NULL,8,O\xe8\+m\xa5m\x83\x07)%r(GenericLines,37,O\xe8\+m\xa5m\x83\
 SF:x07g\xbf\xebX\xc9!TFi\x1bkC\x03t\xfa\xf9\x16\xc7\xbc\\\xc4\xa9m\xd1\x
 SF:05\xd1\xf5\xb4W\xc3\x20\x16\xf6\xc0\x9c\^Kc\x18\xd2\[W\x9aT\xbc)%r(Get
 SF:Request,41,\xd3\xef\+m\xbem\x83\x07\xac\x16\x930J\xaa\xf4\x95\xb3H\xe8
 SF:6\\xcf\xb0hu\xb2\xdf\x0bdfo\xa7U\xa5\xf4\n;;\xb9\xf0\xbf}\x83\xa9o`\xd
 SF:0D\xe6j{\xcd{6\xae-\xe9\?\x87,\x9d`\xa5\xbd~)%r(HTTPOptions,39,\x80\x
 SF:e1\+m\xbam\x83\x07\xa6\x16\xb0\xab\x9fa\rLnx\xfd\xac\x1bGN4\(\x03\xdc\x
 SF:db\xfc\(\xfa\$\x1d\x1c\xe03\$\x08\xc1\xaa9\xf7g\xf8\xf5\x1b_K\x99\xb5\x
 SF:03\x13\x81\xb6\xa4b\x0f)%r(RTSPRequest,52,\xb2\xe3\+m\xb6m\x83\x07\x1
 SF:[EMAIL PROTECTED](\x83j\x11a\[dS\x10\\\)\xba\x9a\xa65D\xf3\xbd=\
 SF:xca\xec\xc7\xd5\xfc\G\xf1\xfe\x96\xf3\xb9\x10\xd9k\$p\xb3\x8e\xa3\xb2\
 SF:x88\x96\xa9Wh\xed\x88\x80\x83\xc5\x16\xdf\xd6\xc2\xb3\xc0\xdaL\xa36\x9a
 

Re: [FUG-BR] Analise de Portas de Firewall

2006-11-08 Por tôpico c0re dumped
  80/tcp   open  http-proxy  Squid webproxy
  2.5.STABLE6

  3128/tcp open  http-proxy  Squid webproxy
  2.5.STABLE6

Seu amigo usa squid como proxy reverso ? Só como dica, sugiro que ele
use o pound ao invés do squid.

Oura coisa pelo visto o proxy dela está aberto isso acontece muito
quando se proxy reverso com o squid, a maioria esquece de fechar a
porta 3128.

Essa porta 3128 (normalmente usada para requisições http) não deveria
estar aceitando conexões para endereços externos.

Como consequencia, qualquer pessoa na internet pode acessar sites
usando o proxy dele como endereço de origem... dá pra imaginar o
tamanho do problema né ?

Sugiro que ele dê uma olhada na diretiva http_port no squid.conf dele.


[]'s


-- 

No stupid signatures here.
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd


Re: [FUG-BR] Analise de Portas de Firewall

2006-11-08 Por tôpico irado furioso com tudo
Em Wed, 8 Nov 2006 13:13:10 -0300 (ART)
Cristina Fernandes Silva [EMAIL PROTECTED] escreveu:

 987/tcp  open  unknown
 1987/tcp open  tr-rsrb-p1?

grep 987 /etc/services

tr-rsrb-p1  1987/tcp   #cisco RSRB Priority 1 port
tr-rsrb-p1  1987/udp   #cisco RSRB Priority 1 port

 bem.. o que isso tá fazendo aí, não sei. Acho que uma busca no google
deve ajudar.

Quanto à 987 creio que é usada pelo sendmail (ou estou confundindo
tudo?). Bem, faça assim:

#netstat -natp 

(como root)

vai trazer pra vc qual é o processo que está ouvindo êsse
serviço/porta. Daí, é só analisar se deve-se ou não mantê-lo ativo.

divirta-se.



-- 

saudações,
irado furioso com tudo
Linux User 179402/FreeBSD BSD50853/FUG-BR 154
100% Miko$hit-free
A experiencia ensina que a mulher ideal é sempre a dos outros
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd