try using netstat -tupan and see wich process is using that port. if any. ----- Original Message ----- From: "Sven Riedel" <sr@xxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Friday, January 23, 2004 10:48 PM Subject: Filtered Port 21 somewhat open - iptables weirdness? > Hi, > one of the machines I administer to is running iptables with an input > policy of drop, and allows only a few, selected services. Ftp is most > definitely not among them, and there is no ftp server installed on the > machine in question. > > nmap -P0 -sS reports that among the expected, port 21 is open. > telnetting to port 21 shows indeed a successful connect: > radagast@angmar:~>telnet <machine> 21 > Trying <ip>... > Connected to <machine> > Escape character is '^]'. > ^] > telnet> quit > > But it just sits there, no welcoming banner, no response to obvious > ascii-commands. > > At the same time the kernel logs report that my telnet packets are being > blocked by iptables. hping2 -A gets reset packets from that port as > well, as if it weren't filtered, while amap shows me nothing of value. > > Is this maybe some ip_conntrack weirdness? I already sweeped the machine > as well as I could and so far I came up with no indication for a rootkit > or backdoor. > > Regs, > Sven > -- > Sven Riedel sr@xxxxxxxx > Liebigstr. 38 > 30163 Hannover "Python is merely Perl for those who > prefer Pascal to C" (anon) > >
