Alguém me ajude a analisar esse nmap? [RESOLVIDO]

hideoux
(usa OpenSuSE)

Enviado em 17/03/2010 - 09:31h

olá,

não entendo praticamente nada de segurança...
ao rodar o comando

#nmap localhost -sV

o resultado foi:

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Starting Nmap 4.62 ( http://nmap.org ) at 2010-03-17 09:10 BRT
Interesting ports on localhost (127.0.0.1):
Not shown: 1705 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp Exim smtpd 4.69
53/tcp open domain
80/tcp open http Apache httpd
111/tcp open rpcbind
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: GUARDA)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: GUARDA)
631/tcp open ipp CUPS 1.3
696/tcp open unknown
953/tcp open rndc?
3128/tcp open http-proxy Squid webproxy 2.7.STABLE3
Service Info: Host: maquina.dom

Host script results:
|_ Discover OS Version over NetBIOS and SMB: Unix

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.430 seconds

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Essa máquina é um roteador, com bind9, squid, sarg, samba e cups.

O que me chamou a atenção foi:

696/tcp open unknown

e

953/tcp open rndc?

Obrigado desde já,
Hideo

renato_pacheco
(usa Debian)

Enviado em 17/03/2010 - 09:41h

É mais fácil vc digitar esse comando, já q vc está local:

# fuser -v 696/tcp
# fuser -v 953/tcp

Pra descobrir quem tá abrindo essas portas.

hideoux
(usa OpenSuSE)

Enviado em 17/03/2010 - 10:23h

Muito obrigado pela ajuda,
mas ainda preciso de auxílio...

A saída do comando foi:

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
user -v 696/tcp
USER PID ACCESS COMMAND
696/tcp: alunos 2640 F.... famd

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

fuser -v 953/tcp
USER PID ACCESS COMMAND
953/tcp: bind 2180 F.... named

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Obs.: alunos é o usuário que eu estou usando...
Obs.2: como as portas estão relacionadas a serviços em uso, não há problema, não é?

Abraço,
Hideo

renato_pacheco
(usa Debian)

Enviado em 17/03/2010 - 10:35h

Isso. No caso, alunos é o usuário q rodou esse aplicativo. O named é o seu DNS (carregado pelo usuário bind), mas o famd, pesquisando no google, achei esse link http://linuxmanpages.com/man8/famd.8.php e ele diz q o famd é um File Alteration Monitor (Monitor de alteração de arquivos), ou seja, é alguém testando essa ferramenta ae. Leia mais no link, pois dá mais detalhes.

hideoux
(usa OpenSuSE)

Enviado em 17/03/2010 - 10:59h

Muitíssimo obrigado pela ajuda.

só para confirmar, então...
aparentemente as portas da máquina estão seguras...

Abraço,
Hideo

luanyata
(usa Ubuntu)

Enviado em 17/03/2010 - 11:17h

aproveitando a pergunta usei o nmap em minha maquina aqui ela retornou o seguinte:

Starting Nmap 4.62 ( http://nmap.org ) at 2010-03-17 11:08 BRT
Interesting ports on hit-nxdomain.opendns.com (208.69.32.132):
Not shown: 1704 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
80/tcp open http?
443/tcp open ssl/unknown
8000/tcp open http-alt?
8076/tcp open slnp?
8080/tcp open http-proxy?
8082/tcp open blackice-alerts?
8118/tcp open privoxy?
8123/tcp open polipo?
8443/tcp open https-alt?
8892/tcp open seosload?
6 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port53-TCP:V=4.62%I=7%D=3/17%Time=4BA0E2FF%P=i686-pc-linux-gnu%r(DNSVer
SF:sionBindReq,E,"{TTEXTO}\x0c{TTEXTO}\x06\x81\x84{TTEXTO}{TTEXTO}{TTEXTO}{TTEXTO}{TTEXTO}{TTEXTO}{TTEXTO}{TTEXTO}")%r(DNSStatusReques
SF:t,E,"{TTEXTO}\x0c{TTEXTO}{TTEXTO}\x90\x84{TTEXTO}{TTEXTO}{TTEXTO}{TTEXTO}{TTEXTO}{TTEXTO}{TTEXTO}{TTEXTO}");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=4.62%I=7%D=3/17%Time=4BA0E2FB%P=i686-pc-linux-gnu%r(GetReq
SF:uest,1E3,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/h
SF:tml\r\nContent-Length:\x20349\r\nDate:\x20Wed,\x2017\x20Mar\x202010\x20
SF:14:12:24\x20GMT\r\nServer:\x20OpenDNS\x20Guide\r\n\r\n<\?xml\x20version
SF:=\"1\.0\"\x20encoding=\"iso-8859-1\"\?>\n<!DOCTYPE\x20html\x20PUBLIC\x2
SF:0\"-//W3C//DTD\x20XHTML\x201\.0\x20Transitional//EN\"\n\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transiti
SF:onal\.dtd\">\n<html\x20xmlns=\"http://www\.w3\.org/1999/xhtml\"\x20xml:
SF:lang=\"en\"\x20lang=\"en\">\n\x20<head>\n\x20\x20<title>400\x20-\x20Bad
SF:\x20Request</title>\n\x20</head>\n\x20<body>\n\x20\x20<h1>400\x20-\x20B
SF:ad\x20Request</h1>\n\x20</body>\n</html>\n")%r(HTTPOptions,1E3,"HTTP/1\
SF:.0\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html\r\nContent-Le
SF:ngth:\x20349\r\nDate:\x20Wed,\x2017\x20Mar\x202010\x2014:12:25\x20GMT\r
SF:\nServer:\x20OpenDNS\x20Guide\r\n\r\n<\?xml\x20version=\"1\.0\"\x20enco
SF:ding=\"iso-8859-1\"\?>\n<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x2
SF:0XHTML\x201\.0\x20Transitional//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\"http://www\.w3\.org/TR/xhtml1/DTD/xhtml1-transitional\.dtd\">\n<ht
SF:ml\x20xmlns=\"http://www\.w3\.org/1999/xhtml\"\x20xml:lang=\"en\"\x20la
SF:ng=\"en\">\n\x20<head>\n\x20\x20<title>400\x20-\x20Bad\x20Request</titl
SF:e>\n\x20</head>\n\x20<body>\n\x20\x20<h1>400\x20-\x20Bad\x20Request</h1
SF:>\n\x20</body>\n</html>\n")%r(RTSPRequest,1E3,"HTTP/1\.0\x20400\x20Bad\
SF:x20Request\r\nContent-Type:\x20text/html\r\nContent-Length:\x20349\r\nD
SF:ate:\x20Wed,\x2017\x20Mar\x202010\x2014:12:26\x20GMT\r\nServer:\x20Open
SF:DNS\x20Guide\r\n\r\n<\?xml\x20version=\"1\.0\"\x20encoding=\"iso-8859-1
SF:\"\?>\n<!DOCTYPE\x20html\x20PUBLIC\x20\"-//W3C//DTD\x20XHTML\x201\.0\x2
SF:0Transitional//EN\"\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\"http://www\.
SF:w3\.org/TR/xhtml1/DTD/xhtml1-transitional\.dtd\">\n<html\x20xmlns=\"htt
SF:p://www\.w3\.org/1999/xhtml\"\x20xml:lang=\"en\"\x20lang=\"en\">\n\x20<
SF:head>\n\x20\x20<title>400\x20-\x20Bad\x20Request</title>\n\x20</head>\n
SF:\x20<body>\n\x20\x20<h1>400\x20-\x20Bad\x20Request</h1>\n\x20</body>\n<
SF:/html>\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port443-TCP:V=4.62%T=SSL%I=7%D=3/17%Time=4BA0E307%P=i686-pc-linux-gnu%r
SF:(GetRequest,86,"HTTP/1\.0\x20503\x20Service\x20Unavailable\r\nContent-T
SF:ype:\x20text/html\r\nContent-Length:\x2053\r\n\r\nThe\x20service\x20is\
SF:x20not\x20available\.\x20Please\x20try\x20again\x20later\.")%r(HTTPOpti
SF:ons,69,"HTTP/1\.0\x20501\x20Not\x20Implemented\r\nContent-Type:\x20text
SF:/html\r\nContent-Length:\x2028\r\n\r\nThis\x20method\x20may\x20not\x20b
SF:e\x20used\.")%r(RTSPRequest,69,"HTTP/1\.0\x20501\x20Not\x20Implemented\
SF:r\nContent-Type:\x20text/html\r\nContent-Length:\x2028\r\n\r\nThis\x20m
SF:ethod\x20may\x20not\x20be\x20used\.")%r(SSLSessionReq,69,"HTTP/1\.0\x20
SF:414\x20Request\x20URI\x20too\x20long\r\nContent-Type:\x20text/html\r\nC
SF:ontent-Length:\x2023\r\n\r\nRequest\x20URI\x20is\x20too\x20long")%r(Fou
SF:rOhFourRequest,86,"HTTP/1\.0\x20503\x20Service\x20Unavailable\r\nConten
SF:t-Type:\x20text/html\r\nContent-Length:\x2053\r\n\r\nThe\x20service\x20
SF:is\x20not\x20available\.\x20Please\x20try\x20again\x20later\.")%r(SIPOp
SF:tions,69,"HTTP/1\.0\x20501\x20Not\x20Implemented\r\nContent-Type:\x20te
SF:xt/html\r\nContent-Length:\x2028\r\n\r\nThis\x20method\x20may\x20not\x2
SF:0be\x20used\.");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8080-TCP:V=4.62%I=7%D=3/17%Time=4BA0E2FB%P=i686-pc-linux-gnu%r(GetR
SF:equest,BB,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20http://guide\.open
SF:dns\.com/\?url=\r\nContent-type:\x20text/html\r\nContent-Length:\x200\r
SF:\nConnection:\x20close\r\nDate:\x20Wed,\x2017\x20Mar\x202010\x2014:12:2
SF:4\x20GMT\r\nServer:\x20OpenDNS\x20Guide\r\n\r\n")%r(RTSPRequest,BB,"HTT
SF:P/1\.0\x20400\x20Bad\x20request\r\nCache-Control:\x20no-cache\r\nConnec
SF:tion:\x20close\r\nContent-Type:\x20text/html\r\n\r\n<html><body><h1>400
SF:\x20Bad\x20request</h1>\nYour\x20browser\x20sent\x20an\x20invalid\x20re
SF:quest\.\n</body></html>\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8118-TCP:V=4.62%I=7%D=3/17%Time=4BA0E2FB%P=i686-pc-linux-gnu%r(GetR
SF:equest,BB,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20http://guide\.open
SF:dns\.com/\?url=\r\nContent-type:\x20text/html\r\nContent-Length:\x200\r
SF:\nConnection:\x20close\r\nDate:\x20Wed,\x2017\x20Mar\x202010\x2014:12:2
SF:4\x20GMT\r\nServer:\x20OpenDNS\x20Guide\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8123-TCP:V=4.62%I=7%D=3/17%Time=4BA0E301%P=i686-pc-linux-gnu%r(GetR
SF:equest,BB,"HTTP/1\.0\x20302\x20Found\r\nLocation:\x20http://guide\.open
SF:dns\.com/\?url=\r\nContent-type:\x20text/html\r\nContent-Length:\x200\r
SF:\nConnection:\x20close\r\nDate:\x20Wed,\x2017\x20Mar\x202010\x2014:12:3
SF:0\x20GMT\r\nServer:\x20OpenDNS\x20Guide\r\n\r\n");

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 318.538 seconds


É a primeira vez q ele retorna isso??? o q venha ser???

desde ja agradecido!!!

flw...

renato_pacheco
(usa Debian)

Enviado em 17/03/2010 - 11:22h

Olha, o Nmap nem sempre tá certo. Tanto é q a versão dele tá velha (4.62), já tá na 5.x. Vc deve confiar no q esse comando abaixo vai t passar:

# netstat -antp

Esse, sim, vc deve confiar. Depois vc compara com q o nmap t passou, ok?