Quarantine once said:
> Hi all. WinMap is reporting 161/udp open on several of my Win2K servers.
> The problem is that SNMP isn't installed on these machines, and I don't know
> of anything else that would be accepting traffic on that port. Here's the
> result of a netstat -a -n -p udp on one of the machines:
>
> Active Connections
>
> Proto Local Address
> UDP 0.0.0.0:135
> UDP 0.0.0.0:445
> UDP 0.0.0.0:1034
> UDP 0.0.0.0:1251
> UDP 0.0.0.0:1434
> UDP 0.0.0.0:2344
> UDP 0.0.0.0:3456
> UDP 0.0.0.0:6050
> UDP xxx.xxx.xxx.xxx:137
> UDP xxx.xxx.xxx.xxx:138
> UDP xxx.xxx.xxx.xxx:500
> UDP xxx.xxx.xxx.xxx:41524
>
> I've confirmed that on a machine with the SNMP service installed and
> started, the same netstat command shows UDP 0.0.0.0:161. Can anybody
> explain this to me?

From the nmap man page:

UDP scans: This method is used to determine which UDP
          (User Datagram Protocol, RFC 768) ports are open on a
          host. The technique is to send 0 byte udp packets to
          each port on the target machine. If we receive an ICMP
          port unreachable message, then the port is closed.
          Otherwise we assume it is open.

Therefore, if your hosts are not allowing ICMP in and/or out, you will
get a false positive. Try scanning the machine(s) for all UDP ports
( -p1- is the argument for that on the Unix nmap) and I'll bet you
get a report showing them all open.

-Conor

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]