[英]Several ports listed as opened with nmap, but only few ports listening in the server.
I tried to scan ports with nmap to one of my servers in the same LAN and I got many ports opened: 我尝试使用nmap扫描端口到同一局域网中的一台服务器,但打开了许多端口:
Host is up (0.058s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
143/tcp open imap
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
so, I logged into the server to see what services are listening and there are only few of them: 因此,我登录到服务器以查看正在侦听的服务,并且其中只有少数几个:
netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1205/mysqld
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 32225/sshd
tcp6 0 0 :::22 :::* LISTEN 32225/sshd
tcp6 0 0 :::4118 :::* LISTEN 1264/ds_agent
Why then, those ports are listed in the nmap and how I can close them? 那么,为什么这些端口在nmap中列出,我如何关闭它们?
Add the --reason
option to your Nmap scan to see information about each port. 在您的Nmap扫描中添加
--reason
选项,以查看有关每个端口的信息。 This may help reveal when responses are coming from a different source than the target. 这可能有助于揭示响应何时来自与目标不同的来源。 For instance, if you see
22/tcp open ssh syn-ack ttl 60
but 110/tcp open pop3 syn-ack ttl 63
then based on the ttl
difference, the responses were likely coming from different targets. 例如,如果您看到
22/tcp open ssh syn-ack ttl 60
但110/tcp open pop3 syn-ack ttl 63
则基于ttl
差异,响应可能来自不同的目标。 You say you are on a LAN, so this is less likely. 您说您在局域网上,因此可能性较小。
It's also possible that the ports were open when you scanned, but the process that was listening was turned off by the time you logged in to check. 扫描时端口也可能是打开的,但是在您登录进行检查时,正在侦听的进程已关闭。 Can you confirm the same ports are still open?
您可以确认相同的端口仍处于打开状态吗? Can you check logs for a mail server service starting and stopping?
您可以检查日志中是否有启动和停止的邮件服务器服务?
One more possibility would be a rootkit. 另一个可能是rootkit。 This is malware that carefully hides its behavior from on-host diagnostic tools like
netstat
. 这是一种恶意软件,可从诸如
netstat
类的主机诊断工具中精心隐藏其行为。 This possibility is unlikely based on the ports you listed, which are consistent with a mail server instead. 根据您列出的端口(与邮件服务器一致),这种可能性不太可能。 Malware would be unlikely to listen on so many commonly-used ports, but it is worth mentioning as a general case.
恶意软件不太可能在这么多常用端口上侦听,但作为一般情况值得一提。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.