[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Funny story about mysteriously open port 21

On 09.03.2010 09:21, Sir Conquer wrote:

> As I was testing new iptables rules on my remote Lenny server, port
> 21 kept coming up as open, yet nothing was listening on it (according
> to netstat and lsof). At which point I'm panicking and wondering
> whether I've been owned! The panic had productive side-effects, as I
> discovered several misconfigurations in Bind. Still, no matter where
> I poked - I could not figure out what the hell is opening the damn
> ftp port... After making sure that I'm thoroughly dropping all
> traffic from APNIC subnets, and as I was getting ready to post a
> question about my dilemma here - I had a eureka moment - I'M RUNNING
> FTP PROXY on my LAN gateway! LOL :-) I laughed so hard that I woke-up
> (and pissed-off) my wife!

The same can very easily happen if your network uses some sort of
transparent web-proxy, either using the classic iptables REDIRECT
approach or with help of a Cisco router and WCCP.

Outgoing port 80 will always seem to be available and this has more than
once driven me nearly mad :)

Also tcptraceroutes with destination port 80 will always end in your own
network (in your proxy) instead of tracing the internets, but the
resulting hostname will still be the one you targeted:

xxxx@YYYY:~$ tcptraceroute.mt -N www.debian.org 80
Selected device eth0, address, port 39841 for outgoing
Tracing the path to www.debian.org ( on TCP port 80 (www), 30
hops max
 1  fw01-1-ha-dvzadmins.dvz.fh-giessen.de (  0.248 ms
0.999 ms  1.195 ms
 2  asr-a016-ge1-v107.its.fh-giessen.de (  2.130 ms  2.540
ms  2.798 ms
 3  www.de.debian.org ( [open]  5.206 ms  3.518 ms  1.310 ms

So, lesson learned: if you do remote forensics, always make sure your
network behaves the way you think it does.


Reply to: