[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Nmap shows port 21 is open with no ftp daemon installed.

John Hasler wrote:
Does nmap claim there is actually something listening on port 21 or is it
that the port is simply not "stealthed"?  Post the actual nmap output.
Some security sites (such as www.grc.com) make the (IMHO bogus) claim that
not having all ports "stealthed" is a security risk.  Your friend may have
seen this and misunderstood.
This is his nmap output. Hope it helps. This is all I got.
#nmap myserver

PORT STATE SERVICE 21/tcp open ftp 22/tcp filtered ssh 80/tcp filtered http 389/tcp filtered ldap
443/tcp   filtered https
993/tcp   filtered imaps
8080/tcp  filtered http-proxy

Rod writes:
So he asked other people and they told him that his machine was
hacked. The lsof and netstat was modified. The port 21 was a backdoor
placed by the hacker.

It does not seem plausible that a cracker would install a rootkit that
would listen on the standard port.  Do you have any reason to believe that
these other people know what they are talking about?

That's the thing that bothers me those people that suggested him this jumped into the conclusion with asking or doing any verification or maybe a previous experience from others. They just plainly told him that he was "hacked" and any binary(netstat, lsof, etc) that may help him had been replaced.

Anyway I just got another lead on his situation. I learned from my seniors from there past experience this may had been a bug in the Cisco IOS version that was between the user and the server. Anyway thanks for the info and I appreciate everyone's help.


Reply to: