Home / server / Questions / 30824
Accepted
lexsys
Asked: 2009-06-25 00:39:12 +0800 CST

nmap shows opened port but netstat doesn't

  • 772

If I scan my server with nmap, it shows that 21 port is opened. But when I login into this server and run netstat, I see nothing.

$ nmap -sT server

Starting Nmap 4.76 ( http://nmap.org ) at 2009-06-24 11:54 MSD
Interesting ports on server (x.x.x.x):
Not shown: 994 filtered ports
PORT     STATE  SERVICE
21/tcp   open   ftp
22/tcp   open   ssh
...

Nmap done: 1 IP address (1 host up) scanned in 7.97 seconds

$ netstat --listen --tcp --numeric

How can it be? Can it be a security issue?

UPD: tcpdump output while connecting with nmap

13:13:02.982805 IP 10.19.10.2.51983 > server.ftp: S 767068541:767068541(0) win 5840 
13:13:04.096705 IP 10.19.10.2.52000 > server.ftp: S 792080356:792080356(0) win 5840 
13:13:04.131169 IP server.ftp > 10.19.10.2.52000: S 3312178661:3312178661(0) ack 792080357 win 32768 
13:13:04.131346 IP 10.19.10.2.52000 > server.ftp: . ack 1 win 46 
13:13:04.131737 IP 10.19.10.2.52000 > server.ftp: R 1:1(0) ack 1 win 46
linux security port

12 Answers

  1. Best Answer

    Are you on the same segment as the server in question? Portscanning via routers can give bogus results.

    • 10

  2. As previously mentioned, I'm posting here to re-itterate; this is common if you're nmap'ing from behind a NAT'd router. Are you running NMAP from behind your home ADSL or Cable modem. I see this all the time with my Apple TimeCapsule. It can give you a shock the first time you see it :)

    Andrew

    • 4

  3. From tcpdump, it is showing clearly that someone is responding. To your requests.

    Can you try:

    • FTP'ing directly to the box? See what it happens?
    • If you have a NAT in the middle, it might be redirecting to another box.
    • Can you run tcpdump on the destination machine itself? See if any packet is getting through.

    Plus, try nc -l tcp 21 to see if you can listen on the port 21. If you can't and nothing is showing up on netstat, you might be compromised. Try rootcheck to see if it finds something (since chkrootkit didn't found any: http://www.ossec.net/rootcheck ).

    • 2

  4. Look at this answer:

    Turning off FTP

    • 2

  5. Odd one, try running tcpdump while connecting to it with nmap, that should show whether the traffic is actually getting to the machine.

    • 0

  6. Maybe there is some kind of NAT on this machine or any other router on the way? Check output of iptables-save (if it's Linux)

    • 0

  7. Is your DNS working. Try nmapping by IP instead of name.

    • 0

  8. Your server is probably infected with a rootkit

    • 0

  9. It could be a security issue. If your server has been rootkitted then the kernel will report what the kernel is told to report by the rootkit and would therefore show a discrepancy with the external scan.

    • 0

  10. It may be interesting to see if you can actually ftp to the server. You may want to use telnet or netcat and rfc959 to see if you get any low level responses that could clue you in to where and what is responding on that port.

    • 0