Houston, we have a problem...

Discussion in 'Trojan Defence Suite' started by Pawthentic, Jul 6, 2002.

Thread Status:
Not open for further replies.
  1. Pawthentic

    Pawthentic Registered Member

    Joined:
    Jul 6, 2002
    Posts:
    40
    Okay, in a nutshell ~~ I think I'm the one with the problem. For a while now, I've been seeing some rather strange results when scanning local (my LAN) and remote IP addresses using TDS-3. It doesn't matter which way I ask TDS-3 to perform a scan (remote scan, targeted scan, interrogate, common ports check, etc.)... I always see the same ports being reported as open to incomming connection requests.

    Rather than bore anyone here with a convoluted recounting of multiple events, I've attached a netstat from a fresh winME box (ip addr 192.168.1.101 on my LAN) and the log from TDS-3 (run from 192.168.1.100 on my LAN). It doesn't take a rocket scientist to see something strange here.

    My current hardware config is RoadRunner cable in front of a Linksys BEFSR-41, which handles the LAN through it's 4-port switch. The box running TDS-3 is an XP pro install that is clean. Reinstalling TDS-3 and/or playing with it's configuration changes nothing as far as mis-reporting open ports goes. Also, did I mention that the winME box is fresh, too?

    I would be eternally happy if someone could explain exactly what I'm doing wrong (because god-forbid it should be TDS-3's fault) without telling me I need lessons in networking and sockets (hi Wayne!)

    Best regards to all here.
    Hilly.

    [year-old attachment deleted by admin]
     
  2. Pawthentic

    Pawthentic Registered Member

    Joined:
    Jul 6, 2002
    Posts:
    40
    I couldn't add another attachment to my post, so here's the log from TDS-3...


    [year-old attachment deleted by admin]
     
  3. controler

    controler Guest

    Congradulations !!!!!!!!!!!!!

    You have my IP address now what?
    Maybe the Wilders Web Master would care to elaborate on this? Does this new poster share my IP?

    Also dude? Please turn word rap on !!!!!!!!!!!!!
     
  4. Pawthentic

    Pawthentic Registered Member

    Joined:
    Jul 6, 2002
    Posts:
    40
    :) IP addresses like 192.168.xxx.xxx are private, non-routable addresses that are given to machines running on a local network. If you're posting from a box on a LAN then it might have the same 192.168.xxx.xxx address. That does not mean your WAN address is the same as mine. BTW, you have no way of knowing what -my- WAN address is unless you're a moderator here. Just FYI it's 24.58.230.189.

    Sorry about the extra-wide post, I'm thinking it's due to the image I posted. I don't see where to implement word-wrap in this forum, but if I'm wrong then someone can tell me.

    Hey, thanks for the thoughtful, intelligent reply. :)

    Regards,
    Hilly.
     
  5. controler

    controler Guest

    Only teasing !!!!!!!!!!! :D

    I don't think I want to publish my DSN address My lease expires 7/12/2002 10:49:20 AM though or before since I am moving again and will be going back to DSL and an old Cisco 675 router

    Cool that you are using the same router as me though.
    Have you tried connecting without your router?
     
  6. Pawthentic

    Pawthentic Registered Member

    Joined:
    Jul 6, 2002
    Posts:
    40
    The strange results I'm getting disappear when I physically remove the router from my configuration. It seems (not properly verified) that others using TDS-3 and a Linksys router get similar, incorrect results when scanning me.

    What's a DSN address?

    Regards,
    Hilly.
     
  7. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    I think Controler mistyped something, maybe he was a little stoned :p

    He meanes with DSN: DNS (Domain Main System).

    Ciao,

    Smokey
     
  8. controler

    controler Guest

    Oh Dawd

    I need to stop posting after only one cup a coffee in the mornings
    Yes that is what I ment..

    DNS Domain Name System
    Address is the Wan address

    Is your router default configured from the factory ?
     
  9. Pawthentic

    Pawthentic Registered Member

    Joined:
    Jul 6, 2002
    Posts:
    40
    DNS is how host and domain names get resolved into IP addresses. Your WAN address has little or nothing to do with the address of your (or your ISP's) DNS servers. When you log in with your ISP, your computer is issued a unique (WAN) IP address. Your computer will routinely go to the address (specified in your network settings) of whatever DNS server you want to resolve host/domain names to IP addresses. Reverse DNS is used to resolve IP addresses to host or domain names.

    All of this has nothing to do with what I started this thread for, but might be an indication that you guys need more coffee.

    Controler, to answer your question ~~ No. My Linksys does not have the factory's 'defaut' configuration. I use the web-interface (192.168.1.1 for the Linksys) to change things to my liking. Either way, if other people who have routers (at least a Linksys, anyway) scan me and report ports open and/or services running that I know aren't there, what does it matter how I have my router configured??

    Please note that it's only with TDS-3 that I (and at least one other person that I know of) get these strange results.

    Routers don't open oprts, or cause services to magically appear.

    Regards,
    Hilly.
     
  10. controler

    controler Guest

    With that web interface doesn't it ask for your username and Password?

    I am sure you have checked Linksys's site allready but if not here ya go. I am sure Gavin will respond to your TDS-3 question.

    http://www.linksys.com/support/support.asp?spid=86
     
  11. Pawthentic

    Pawthentic Registered Member

    Joined:
    Jul 6, 2002
    Posts:
    40
    :mad:
    Of course it asks for a password, but what does that have to do with anything?

    As far as DCS answering me, all I've gotten so far from them is a suggestion to
    Google for info on networking and sockets. (hi Wayne!)

    Again, I'm not saying this is a -problem- with TDS-3 (but I'm not convinced it isn't
    a problem, either). All I'm saying is that I see strange, incorrect results when
    using TDS-3 in conjunction with my Linksys router. I've also seen one other
    person who used TDS-3 to scan me (while my router was in place) and he -also-
    received incorrect results on his end .

    I can live with the possibility that TDS-3 doesn't play well with routers, but I sure
    wish I knew that before I went and did something silly like _relying_ on the
    results I get from scanning with TDS-3.

    I have searched, but found no information anywhere (including from DCS)
    regarding the usage of TDS-3 with a router. I would think that if there _is_ a
    compatability issue, then I wouldn't be the first to see these -incorrect- results.

    I keep teling myself that it's me, that I must be doing something wrong, that I'm
    a goofball who doesn't know about networking and sockets (hi Wayne!)... but if
    it's all about me, how come someone else using TDS-3 to scan my IP address
    received the same strange, incorrect results?

    All these questions could be probably answered by DCS, but I think they're kind
    of busy with TDS-4 and other stuff ~~ so it looks like I'm on my own with this.

    Regards, and sorry for wasting the space.
    Hilly.
     
  12. controler

    controler Guest

    I am sure you have the latest firmware update?

    to download firmware version 1.42.7 that supports enhanced Internet security using ZoneAlarmPro TM and PC-cillin TM.
    Extract the files
    Read the UPGRADE.DOC for upgrade instructions
    *Linksys will not offer technical support for the 3rd party enhanced security features.


    ftp://ftp.linksys.com/pub/network/befsr-fw1427.zip
     
  13. Pawthentic

    Pawthentic Registered Member

    Joined:
    Jul 6, 2002
    Posts:
    40
    Thank you (sincerely) for trying to help, controler. I have used the last 3
    firmware images that Linksys released, and I got them directly from Linksys.

    Firmware in the router isn't the problem.

    Regards,
    Hilly.
     
  14. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Hilly - temper, temper! :D

    I haven't a clue, myself, as to why you're getting flaky results (only you , BTW, would know if they are flaky results or not, I think).

    Would a proper re-statement of the problem be that, while TDS is telling you certain ports are open (when scanned by other TDS users' ) - all the other tests you take elsewhere are telling you that you don't have any ports open?

    (Forgive me if that sounds too simplistic, or isn't correct - I'm the dumbest one here. If you can explain it to me to where I can understand the problem, it'll probably go a long way towards having it stated to where others more knowledgeable will be able to help). Pete
     
  15. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Hmm, you did explain the problem more clearly in the TDS private forum!

    Okay, when you scan someone else with TDS, TDS tells you that they have certain ports open - but they actually don't , right?

    Or, if someone scans you with TDS, TDS tells them that you have certain ports open - but you don't, correct?

    I wonder why my scan of you came up with the right results?

    Is everyone involved using the latest version of TDS-3?
    Pete
     
  16. Pawthentic

    Pawthentic Registered Member

    Joined:
    Jul 6, 2002
    Posts:
    40
    Hello Pete.

    It all started when I noticed that -all- the scans I was performing from TDS-3 on my XP box showed the same common ports as open... and note that these were scans done on remote IP addresses. I wasn't worried until more than a few people became angry with me because I was saying that my scans of them (scanning with TDS-3) showed ports open that they were sure they didn't have. In a few instances, I used the TCP Connect feature in TDS-3 to actually connect to port 25 on -remote- addresses (after they showed as open and accepting incomming connections). To me, this means that the remote addresses were actually running the services that TDS-3 reported. If that's a bad assumption on my part, then at least it's a given that TDS-3 was reporting to me these IP addresses had ports open and listening for incomming connection requests. After getting my ass chewed on for a while, I decided to run my own tests.

    I have a small LAN set-up here. Yesterday, I was wiping and reinstalling a friend's winME box (an HP Pav 7850). After the o/s was installed and updated fully, but before I put any third-party apps on it, I used TDS-3 from my XP pro box to run the interrogate scan on it. In this thread, I posted both the netstat from the winME box, and the TDS-3 log from the XP box. The netstat from winME shows nothing, but the log from TDS-3 shows, well you can see for yourself.

    The same thing happens whenever I scan anything, local or remote, as long as my Linksys is physically in the configuration. Using the DMZ in the router changes nothing, I need to -remove- the router from the network (physically) to get valid results from TDS-3.

    Last week, in the DCS forums, I had someone (who also uses TDS-3 and a router) run Interrogate on my IP address. He got the SAME bogus results that showed I was running all kinds of services (ports listening for incomming connection requests). I promise, there are no such services running anywhere near my LAN.

    Once the router is removed (physically), the problem I'm seeing goes away.

    Thanks for the help, Pete.

    Regards,
    Hilly.
     
  17. Pawthentic

    Pawthentic Registered Member

    Joined:
    Jul 6, 2002
    Posts:
    40
    Are you 65.196.250.34 ? If so, I just scanned you and found this...

    ------
    14:34:31 [Interrogate] Interrogation scan on 65.196.250.34 started.
    14:34:32 [Interrogate] 65.196.250.34:25: Connected
    14:34:52 [Interrogate] 65.196.250.34:80: Connected
    14:34:52 [Interrogate] 65.196.250.34:110: Connected
    14:34:53 [Interrogate] 65.196.250.34:110: Connected
    14:35:13 [Interrogate] 65.196.250.34:2: Closed - connection closed immediately.
    14:35:13 [Interrogate] 65.196.250.34:1080: Connected
    14:35:14 [Interrogate] 65.196.250.34:3: Closed - connection closed immediately.
    14:35:35 [Interrogate] 65.196.250.34:9: Closed - connection closed immediately.
    ------

    Are you running these services?

    Regards,
    Hilly.
     
  18. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Well, i hope they didn't mind - because that wasn't me. PM'ing you my #. Pete
     
  19. controler

    controler Guest

    I just ran some scans of your IP with TDS-3 on my WinXP Home and found none open. 135 remained silent
     
  20. Pawthentic

    Pawthentic Registered Member

    Joined:
    Jul 6, 2002
    Posts:
    40
    I bet you're not using a Linksys router...

    :p
    Hilly.
     
  21. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Okay, you're right, I'm NOT running a router. There's no possibility that linksys has some kind of honey-pot feature, is there?

    (Pardon me if that's a stupid question - you're dealing with Pete here! ).

    Hilly, do you have ICQ? If you do, crank it up, would you? Pete
     
  22. Pawthentic

    Pawthentic Registered Member

    Joined:
    Jul 6, 2002
    Posts:
    40
    Hi Pete. :)

    ICQ?! Eeeewww. ;)

    For you, I'll install it rightnow. (give me a few minutes...)

    Regards,
    Hilly.
     
  23. controler

    controler Guest

    yea them silly ISP push the router on us so our hard drive is not just
    blowing in open air. They seem to like Linksys :rolleyes:
    Some say if you have a good firewall like ZoneAlarm
    You can chuck the router. I am using a Wireless Internet connection.
    Today I keep losing connection and have not had that happen before
    Why are we not finding the false open ports you are speaking of?
     
  24. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    is chucking the router actually an option if he's running a LAN?
     
  25. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Perhaps a scan with a different scaner will shed some light.

    Permission to use Nmap on you? It is the common *nix scanner, very good. I trust it more so that any other.

    Also with TDS instead of using interogate, use the tcp scanner to scan the first 1024 ports of the ip. I beleive that will be a better indication of what is going on.
     
Thread Status:
Not open for further replies.