堆栈内存溢出
  简体   繁体   English

列出的几个端口是使用nmap打开的,但是只有几个端口在服务器中监听。

[英]Several ports listed as opened with nmap, but only few ports listening in the server.

 原文  2017-03-05 05:06:56       security/ tcp/ ports/ nmap

问题描述

I tried to scan ports with nmap to one of my servers in the same LAN and I got many ports opened: 我尝试使用nmap扫描端口到同一局域网中的一台服务器,但打开了许多端口: 

Host is up (0.058s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
110/tcp open pop3
143/tcp open imap
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql

so, I logged into the server to see what services are listening and there are only few of them: 因此,我登录到服务器以查看正在侦听的服务,并且其中只有少数几个: 

netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      1205/mysqld
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      32225/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      32225/sshd
tcp6       0      0 :::4118                 :::*                    LISTEN      1264/ds_agent

Why then, those ports are listed in the nmap and how I can close them? 那么,为什么这些端口在nmap中列出,我如何关闭它们?

1 个解决方案

解决方案1
 0  2017-03-08 14:12:35

Add the --reason option to your Nmap scan to see information about each port. 在您的Nmap扫描中添加--reason选项,以查看有关每个端口的信息。 This may help reveal when responses are coming from a different source than the target. 这可能有助于揭示响应何时来自与目标不同的来源。 For instance, if you see 22/tcp open ssh syn-ack ttl 60 but 110/tcp open pop3 syn-ack ttl 63 then based on the ttl difference, the responses were likely coming from different targets. 例如,如果您看到22/tcp open ssh syn-ack ttl 60110/tcp open pop3 syn-ack ttl 63则基于ttl差异,响应可能来自不同的目标。 You say you are on a LAN, so this is less likely. 您说您在局域网上,因此可能性较小。

It's also possible that the ports were open when you scanned, but the process that was listening was turned off by the time you logged in to check. 扫描时端口也可能是打开的,但是在您登录进行检查时,正在侦听的进程已关闭。 Can you confirm the same ports are still open? 您可以确认相同的端口仍处于打开状态吗? Can you check logs for a mail server service starting and stopping? 您可以检查日志中是否有启动和停止的邮件服务器服务?

One more possibility would be a rootkit. 另一个可能是rootkit。 This is malware that carefully hides its behavior from on-host diagnostic tools like netstat . 这是一种恶意软件,可从诸如netstat类的主机诊断工具中精心隐藏其行为。 This possibility is unlikely based on the ports you listed, which are consistent with a mail server instead. 根据您列出的端口(与邮件服务器一致),这种可能性不太可能。 Malware would be unlikely to listen on so many commonly-used ports, but it is worth mentioning as a general case. 恶意软件不太可能在这么多常用端口上侦听,但作为一般情况值得一提。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 关键地管理开放的端口和ASG - Managing opened ports and ASGs in pivotal Nmap:提取不需要的端口以使用Batch和Blat发送邮件 - Nmap: extract undesirable ports for sending mail with Batch and Blat Nmap 使用诱饵扫描扫描 WAN 目标的端口 - Nmap scans WAN target's ports with decoy scan 如何确定节点应用程序已打开的端口 - How to determine the ports that a node app has opened SQL Server活动监视器端口 - SQL Server Activity Monitor Ports 过滤器允许连接到服务器的端口 - Filter ports allowed to connect to the server 启用了JMX的Tomcat7会打开2个额外的随机侦听端口 - Tomcat7 with enabled JMX opens 2 additional random listening ports GCP Kubernetes:入口和外部负载均衡器,带有 IAP 大量开放端口扫描 nmap - GCP Kubernetes: Ingress and external load balancer with IAP lots of open ports scanning nmap 在侦听多个端口的telnet服务器上进行syn flooding攻击 - syn flooding attack on a telnet server that listens on multiple ports 如何限制从Internet访问远程linux服务器上的容器端口? - How to restrict access from internet to containers ports on remote linux server?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM