Re: Nmap shows port 21 is open with no ftp daemon installed.
John Hasler wrote:
Does nmap claim there is actually something listening on port 21 or is it
that the port is simply not "stealthed"? Post the actual nmap output.
Some security sites (such as www.grc.com) make the (IMHO bogus) claim that
not having all ports "stealthed" is a security risk. Your friend may have
seen this and misunderstood.
This is his nmap output. Hope it helps. This is all I got.
PORT STATE SERVICE
21/tcp open ftp
22/tcp filtered ssh
80/tcp filtered http
389/tcp filtered ldap
443/tcp filtered https
993/tcp filtered imaps
8080/tcp filtered http-proxy
So he asked other people and they told him that his machine was
hacked. The lsof and netstat was modified. The port 21 was a backdoor
placed by the hacker.
That's the thing that bothers me those people that suggested him this
jumped into the conclusion with asking or doing any verification or
maybe a previous experience from others. They just plainly told him that
he was "hacked" and any binary(netstat, lsof, etc) that may help him had
It does not seem plausible that a cracker would install a rootkit that
would listen on the standard port. Do you have any reason to believe that
these other people know what they are talking about?
Anyway I just got another lead on his situation. I learned from my
seniors from there past experience this may had been a bug in the Cisco
IOS version that was between the user and the server. Anyway thanks for
the info and I appreciate everyone's help.