Weird Port scanning results using nmap

Question

I was scanning one of my friends servers using nmap and got these port details.

PORT      STATE    SERVICE
22/tcp    open     ssh
42/tcp    filtered nameserver
80/tcp    open     http
111/tcp   open     rpcbind
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
161/tcp   filtered snmp
179/tcp   filtered bgp
443/tcp   open     https
1028/tcp  filtered unknown
1080/tcp  filtered socks 
3128/tcp  filtered squid-http
6666/tcp  filtered irc
6667/tcp  filtered irc
6668/tcp  filtered irc
7402/tcp  open     unknown
10082/tcp open     amandaidx

And when I logged into the machine using SSh and scanned it again using nmap, I got the following result

PORT      STATE SERVICE
22/tcp    open  ssh
25/tcp    open  smtp
80/tcp    open  http
111/tcp   open  rpcbind
443/tcp   open  https
631/tcp   open  ipp
7402/tcp  open  rtps-dd-mt
10082/tcp open  amandaidx

Why question is why is it showing IRC ports and Squid Ports on the first scan? We don't have anything installed in it. Its a dedicated box and not running on VM. Is there any possibility that it might have been compromised? It doesn’t have any IPtables on it too.

Where are you scanning it from? From a host on the same network or from an external host? Is there a network firewall in front of the server? — joeqwerty, Sep 14 '12 at 18:09
Ew, I just noticed they're filtering SNMP. I'd be yelling very loudly at the ISP for that. I _need_ that. — Michael Hampton, Sep 14 '12 at 18:26

score 4 · Answer 1 · answered Sep 14 '12 at 18:11

The differences are due to the interface each service is listening on, and filtering done by your Internet Service Provider (ISP). When there is no firewall between the scanning host and the target, closed TCP ports respond with a RST packet, and can be reasonably assumed to be really closed. A firewall which has been configured to block a port will silently drop all packets to that port, so the scanning host sees no response. Nmap indicates this status as filtered, since there is no way to tell if the port is actually open or closed.

The 2 services that do not show up in the first scan (25/tcp and 631/tcp) are most likely listening on the loopback interface only. You can check this by running netstat -tln and looking at the "Local Address" column. If the Local Address is 0.0.0.0:631, then it is listening on all available interfaces. If it is 127.0.0.1:631, then it is listening on the loopback interface only, and is not open to the network.

you are spot on. Yes they are running on loopback. Thanks for the information. — user994535, Sep 14 '12 at 19:46

score 2 · Answer 2 · answered Sep 14 '12 at 18:03

2

These ports are most likely being filtered by your friend's Internet Service Provider.

answered Sep 14 '12 at 18:03

Michael Hampton

244,070
43
506
972

Is there any way to verify that? – user994535 Sep 14 '12 at 18:09
Call the ISP and ask them? – Michael Hampton Sep 14 '12 at 18:09
@user994535 you can see listening ports with the `netstat` command. – bonsaiviking Sep 14 '12 at 18:12
user004535: It might be possible to determine with fair accuracy by checking how many decrements the ttl gets in comparison to the open services. – 3molo Sep 14 '12 at 18:24
@3molo good idea, but the `filtered` output means there was no response received, so no packet = no ttl. If a firewall were rejecting instead of filtering, you could get ttl values from the Nmap XML output, XPath: `//port/state[@reason="closed"]/@reason_ttl` – bonsaiviking Sep 14 '12 at 19:27
If a filtering device is say 4 hops away while the services are 9 hops away, setting a ttl to 6 and not getting any answer means that the filtering device on hop 4 dropped it - otherwize you would get a ttl 0 during transit. – 3molo Sep 15 '12 at 05:59
icmp time exceeded, not blah blah during transit. :-). – 3molo Sep 15 '12 at 06:12

Weird Port scanning results using nmap

2 Answers2