----- Original Message ----- From: "joe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, January 07, 2003 7:45 PM Subject: ghostly mail ports
> 192.168.0.1 > Responded in 0 ms. > 0 hops away > Responds with ICMP unreachable: No > TCP ports: 25 110 135 139 445 > > > -------------------------------------------------------------------------- -- > - > > Scan finished at Wed Jan 08 00:37:09 2003 > > 1 IP and 1000 ports scanned in 0 hours 0 mins 18.16 secs > > but in netstat, activeports, fport they dont! does anybody know where they > have come from? i googled for ages but dont seem to be getting anywhere. I'm curious about the discrepancy between the scanner and the port monitor outputs. First thing I would do, if you're scanning from another machine, is double check your IP address. If you're scanning from your machine, replace 192.168.0.1 with 127.0.0.1 and see what that shows. You're correct in saying that an open port requires a process behind it. Maybe you read this article already, might give you some ideas. 2. Windows Forensics: A Case Study, Part One by Stephen Barish http://online.securityfocus.com/infocus/1653 Of course, sans.org will also have some good walkthroughs. Regards, Gary
