# [SOLVED] Ports 1720 and 8080 are open/filtered, shouldn't be

## zoni

I recently did an nmap scan on my server, and it shows that port 1720 is filtered and 8080 is open, while they shouldn't be, since I'm only running ssh and ftps (And occasionally apache, but it's not running now):

```
zoni@nick ~ $ nmap 10.0.0.175

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2006-10-07 17:40 EDT

Interesting ports on 10.0.0.175:

(The 1670 ports scanned but not shown below are in state: closed)

PORT     STATE    SERVICE

21/tcp   open     ftp

22/tcp   open     ssh

1720/tcp filtered H.323/Q.931

8080/tcp open     http-proxy

Nmap finished: 1 IP address (1 host up) scanned in 2.506 seconds

```

Opening telnet to it at port 8080 works, but it just closes the connection without any message if I do anything. Which is really weird, since all incoming traffic not going to 21 or 22 should be rejected:

```
Servy ~ # iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh state NEW

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp state NEW

REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset

REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

I even stopped all services I know aren't essential to keep the system running, but still they remain.

So I'm a little worried.. Why are those ports showing up?Last edited by zoni on Wed Oct 11, 2006 5:32 pm; edited 2 times in total

----------

## Kruegi

You can see the process listening to the port with: "netstat -nlp"

Thomas

----------

## dleverton

 *zoni wrote:*   

> 
> 
> ```
> Servy ~ # iptables -L
> 
> ...

 

I assume that first rule is for allowing loopback traffic?  For some reason iptables doesn't show that information unless you add the -v switch.  If it's not, you have a problem.  :Wink:  Otherwise, that's probably why nmap is showing those ports - traffic to the local machine always goes over loopback, even if you use the non-loopback address, therefore bypassing your firewall rules.  Try running nmap from another machine, if you have one.

 *Quote:*   

> So I'm a little worried.. Why are those ports showing up?

 

Apart from what Kruegi said, another possibility: is there any chance you set up port forwarding for those ports in the past?  

```
iptables -t nat -L -v
```

 will tell you.

----------

## zoni

Since it wasn't too clear in my initial post, the nmap scan came from another computer on the same subnet, so those are the ports that are actually open to the outside. (Well, my router only forwards traffic coming in on ports 21 and 22 for my ftps and ssh, but it's still open on the box itself, and I want to know why.)

Netstat doesn't show any processes are listening on those ports, just vsftp and ssh on their own ports:

```
Servy ~ # netstat -nlp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      6714/vsftpd        

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      5120/sshd          

Active UNIX domain sockets (only servers)

Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path

unix  2      [ ACC ]     STREAM     LISTENING     6832   4476/syslog-ng      /dev/log

```

And it's not port-forwarding either:

```

Servy ~ # iptables -t nat -L -v

Chain PREROUTING (policy ACCEPT 3498 packets, 173K bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 1779 packets, 78125 bytes)

 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 62 packets, 9445 bytes)

 pkts bytes target     prot opt in     out     source               destination

```

Any other idea's where this might be coming from?

----------

## dleverton

Is there a firewall/port forwarding on the box you ran nmap on?

----------

## zoni

There's an almost identical firewall on the box nmap ran on, only difference is it only allows ssh. No port forwarding. Just to be sure it's not that box, I booted Knoppix 5.0 from a disk I had lying around, and ran nmap from there, which gave the same results.

----------

## Kruegi

Three other trys:

- try nmap with the -sV option to identify the service

- capture all trafic with wireshark to see if it is relayed somewhere

- emerge, update and run app-forensics/rkhunter

Thomas

----------

## zoni

The nmap -sV tip is a good one, hadn't thought of that. When I get home from school, I'll try that. I'll try capturing data too.

I have rkhunter installed, but it hasn't found anything last time it ran, which was after I ran nmap. Unfortunately, I haven't run AIDE, so I can't check if any system-files have been modified.. Shame on me   :Embarassed: ..Last edited by zoni on Wed Oct 11, 2006 5:30 pm; edited 1 time in total

----------

## zoni

I managed to track the problem down to port-forwarding after all. Even though my router didn't show it in the setup, it was forwarding traffic in some weird way.. A factory reset and reconfiguring solved it.

Thanks for the help guys.

----------

