nmap reveals trinoo_master on router Oct 18 2006 11:35AM
fahimdxb gmail com (1 replies)
On my Cisco Router, I do a nmap scan from outside on the Internet. The result is:

" Interesting ports on *.*.50.1:

Not shown: 1676 closed ports
23/tcp filtered telnet
135/tcp filtered msrpc
1524/tcp filtered ingreslock
27665/tcp filtered Trinoo_Master

I am worried about the last two entries. The last nmap was done in Feb this year and I have confirmed that the two port entries (tcp 1524/27665) did not exist then.
Though the port state "filtered" is a solace but I am still concerned. How can I be sure that the system has not been compromised?

Also the current IOS Version of my Router 2811 is 12.4. It was the same case with open ports when I was using older Router Series 1700 v 12.2, so I thought maybe, it's an IOS issue and I upgraded my Router to 2811 with IOS v 12.4 yesterday. But as soon as I plugged it into the circuit and did a re-scan, I realised the nmap again gives the trinoo_master entry with state as filtered.

Where could lie the problem. Is it with my firewall (PIX 515) configuration behind the router?
Please Advise!!

I have seen Cisco's tech doc that exists here:

One of the solutions suggested therein is to implement "ip verify unicast reverse-path" on the serial interface, but am not sure what will it serve? Also, I suspect that I had other problems when I gave this command so I reversed it.

"sh process cpu" only shows cpu utilisation of about 5-6%.
Please advise!!

This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts reveal tomorrow's threats today. Free of
vendor pitches, the Briefings are designed to be pragmatic regardless of your
security environment. Featuring 36 hands-on training courses and 10 conference
tracks, networking opportunities with over 2,500 delegates from 40+ nations.

[ reply ]
Re: nmap reveals trinoo_master on router Oct 18 2006 09:31PM
Robin Sheat (robin kallisti net nz)


Privacy Statement
Copyright 2010, SecurityFocus