3

I was running a routine security check of the machines I manage today and found in my nmap scans that TCP/554 is open, although when I run 'netstat -an' on the machine itself it doesn't show up, same result if I nmap the host locally.

I then tried connecting to www.google.com on tcp/554 and it is open and it seems all hosts 'have the port open'.

Obviously my ISP is doing something here but then I tried the same on my iphone via a 3G connection and it returns the same results. My ISP is a satellite ISP and my phone/3G connection is with a totally separate provider. Any ideas ?

Hilton D
  • 279
  • 5
  • 15

4 Answers4

6

I had a similar issue. For me, it turned out Apple Time Capsule was making it appear that ports 21, 554, and 7070 were open (it would proxy requests and not check if connections were accepted until later in the exchange.) So, if you're using an Apple networking device, I'd check there.

Adam
  • 176
  • 1
  • 2
1

tcp/554 is rtsp - Real Time Streaming Protocol. Some types of streaming media (RealAudio, QuickTime, and others) use this port. A web server would typically have this open and listening if there are any types of these activities.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • My box doesn't run any web service...that is why I am concerned – Hilton D Feb 13 '10 at 23:38
  • If the machine is windows you can run "netstat -a -b -v -n", to display the processes associated with a particular open port. On linux, "netstat -a -p -v -n". – Greg Askew Feb 14 '10 at 23:11
  • Thanks Greg. I ran that before I posted this question - nothing is listening on that port which is why I think that my ISP / router is faking something... – Hilton D Feb 20 '10 at 09:04
0

Do a TCP trace-route (yes you can do not only ICMP) to your destination. You will then see where the connection terminates. At your ISP (or somebody else on the way) or at your real destination. Compare with ICMP trace-route or trace of other ports.

You can use nping from the nmap package to do the trace.

Arik Yavilevich
  • 101
  • 3
  • I believe the normal case of traceroute uses UDP, though I may be in error. In any case, however, it tends to listen for ICMP TTL exceeded messages on the return path. – Falcon Momot Sep 15 '13 at 19:28
0

Various routers (Verizon FiOS, BT Home Hub, Apple Airport Extreme, ...) always show *:554 and *:7070 as open for some reason.

Hackerific » False positive TCP ports!

Zaz
  • 803
  • 1
  • 7
  • 17