5

If I scan my server with nmap, it shows that 21 port is opened. But when I login into this server and run netstat, I see nothing.

$ nmap -sT server

Starting Nmap 4.76 ( http://nmap.org ) at 2009-06-24 11:54 MSD
Interesting ports on server (x.x.x.x):
Not shown: 994 filtered ports
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   open   ssh
...

Nmap done: 1 IP address (1 host up) scanned in 7.97 seconds

$ netstat --listen --tcp --numeric

How can it be? Can it be a security issue?

UPD: tcpdump output while connecting with nmap

13:13:02.982805 IP 10.19.10.2.51983 > server.ftp: S 767068541:767068541(0) win 5840 
13:13:04.096705 IP 10.19.10.2.52000 > server.ftp: S 792080356:792080356(0) win 5840 
13:13:04.131169 IP server.ftp > 10.19.10.2.52000: S 3312178661:3312178661(0) ack 792080357 win 32768 
13:13:04.131346 IP 10.19.10.2.52000 > server.ftp: . ack 1 win 46 
13:13:04.131737 IP 10.19.10.2.52000 > server.ftp: R 1:1(0) ack 1 win 46
lexsys
  • 2,913
  • 6
  • 31
  • 34

12 Answers12

10

Are you on the same segment as the server in question? Portscanning via routers can give bogus results.

chankster
  • 1,324
  • 7
  • 9
  • Server is in datacenter – lexsys Jun 24 '09 at 09:00
  • And is the machine you're running nmap from also in the datacenter and in the same subnet? – chankster Jun 24 '09 at 09:05
  • No, it is not in datacenter. – lexsys Jun 24 '09 at 09:07
  • 2
    While I realize you may not have the option, try running nmap from a machine in the same subnet to rule out router interference. – chankster Jun 24 '09 at 09:28
  • I can't do this - we have only one server in this datacenter. – lexsys Jun 24 '09 at 12:58
  • It's probably the closest he'll get if he can't run a subnet-local nmap scan. – chankster Jun 25 '09 at 09:52
  • It is the most possible case. Tests didn't find any rootkits on the server. In firewall log I see that all the packages to the 21 port are dropped. And tcpdump on server side shows that there is no answer from the server on incoming connection.I think, it is the router between us which shows such strange behaviour. – lexsys Jun 26 '09 at 06:38
4

As previously mentioned, I'm posting here to re-itterate; this is common if you're nmap'ing from behind a NAT'd router. Are you running NMAP from behind your home ADSL or Cable modem. I see this all the time with my Apple TimeCapsule. It can give you a shock the first time you see it :)

Andrew

Andrew Taylor
  • 884
  • 4
  • 6
2

From tcpdump, it is showing clearly that someone is responding. To your requests.

Can you try:

  • FTP'ing directly to the box? See what it happens?
  • If you have a NAT in the middle, it might be redirecting to another box.
  • Can you run tcpdump on the destination machine itself? See if any packet is getting through.

Plus, try nc -l tcp 21 to see if you can listen on the port 21. If you can't and nothing is showing up on netstat, you might be compromised. Try rootcheck to see if it finds something (since chkrootkit didn't found any: http://www.ossec.net/rootcheck ).

sucuri
  • 2,867
  • 1
  • 23
  • 22
2

Look at this answer:

Turning off FTP

Community
  • 1
FWH
  • 288
  • 1
  • 2
0

Odd one, try running tcpdump while connecting to it with nmap, that should show whether the traffic is actually getting to the machine.

Chopper3
  • 101,299
  • 9
  • 108
  • 239
0

Maybe there is some kind of NAT on this machine or any other router on the way? Check output of iptables-save (if it's Linux)

mateusza
  • 577
  • 4
  • 5
0

Is your DNS working. Try nmapping by IP instead of name.

Jason Tan
  • 2,752
  • 2
  • 17
  • 24
0

Your server is probably infected with a rootkit

dmityugov
  • 756
  • 4
  • 5
0

It could be a security issue. If your server has been rootkitted then the kernel will report what the kernel is told to report by the rootkit and would therefore show a discrepancy with the external scan.

Mark Sutton
  • 636
  • 5
  • 7
0

It may be interesting to see if you can actually ftp to the server. You may want to use telnet or netcat and rfc959 to see if you get any low level responses that could clue you in to where and what is responding on that port.

erichui
  • 270
  • 1
  • 5
  • 13
0

Could you have something in /etc/inetd.conf or xinetd.conf that would open that port?

0

Try nmap'ing another address on the same network which you know is unused; if that also shows the port open, then someone is NAT'ing your traffic somewhere else.

MarkR
  • 2,928
  • 17
  • 13