[FUG-BR] Analise de Portas de Firewall

Celso Viana celso.vianna em gmail.com
Quarta Novembro 8 14:18:49 BRST 2006


Em 08/11/06, Cristina Fernandes Silva<cristina.fsilva at yahoo.com.br> escreveu:
> Galera,
>
> Estou analisando um Firewal de uma empresa que
> trabalha um amigo, encontrei isso atraves do nmap
>
> Starting Nmap 4.11 ( http://www.insecure.org/nmap/ )
> at 2006-11-08 10:52 BRT
> Interesting ports on XXX.XXX.XXX.XXX:
> Not shown: 1640 closed ports, 31 filtered ports
> PORT     STATE SERVICE         VERSION
> 22/tcp   open  ssh             OpenSSH 3.9p1 (protocol
> 2.0)
> 80/tcp   open  http-proxy      Squid webproxy
> 2.5.STABLE6
> 82/tcp   open  http            Apache httpd 2.0.48
> ((Unix) PHP/4.3.5RC4-dev)
> 83/tcp   open  http            Microsoft IIS webserver
> 5.0
> 89/tcp   open  http            Microsoft IIS webserver
> 6.0
> 987/tcp  open  unknown
> 1987/tcp open  tr-rsrb-p1?
> 3128/tcp open  http-proxy      Squid webproxy
> 2.5.STABLE6
> 5010/tcp open  telelpathstart?
> 2 services unrecognized despite returning data. If you
> know the service/version, please submit the following
> fingerprints at
> http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
> ==============NEXT SERVICE FINGERPRINT (SUBMIT
> INDIVIDUALLY)==============
> SF-Port987-TCP:V=4.11%I=7%D=11/8%Time=4551E11F%P=i386-portbld-freebsd6.1%r
> SF:(NULL,8,"2\xd5!i3\x01\x83\x07")%r(GenericLines,36,"2\xd5!i3\x01\x83\x07
> SF:\xa7\xffBM\xfe\xf0\$\xe5\+\xa0Z>\xdc\xdc\xbch\xe7\xf9S6\xbaP\xb3e\xfd\x
> SF:ab\xc6\xf1\xd1\^\x1cT\xaeP\xe0\r\xec2\xa7\xbet\xc4t\$\xbeB")%r(GetReque
> SF:st,40,"\xfe\xa8!i\xe3\x7f\x83\x07\xa7\x9e\xee\x7f\xecG\x92\x12\xd2\xe9w
> SF:5\x12\x16\xed\xf2#\xeeA\*\xc2\xe72F\xcb\xe3\(\xb7\x0c\x1f\xc5\(\x03\xb2
> SF:\xfe\x1d\xd7\xdf\xed9nE\xb9\xad\x87p\x1f\x8c2\xees\x1aT\.=\x0b")%r(HTTP
> SF:Options,37,"\xf3\xaa!i\xff\x7f\x83\x07E\x1a\xbc1\xc2\xf1\xae\xf7yD\x83\
> SF:xffC\xbd\x84\t\xe3\xdcA\x06\x1e\)h\xca\x822\xb5\xbf\xf3o\x88\x82\xb0\xa
> SF:4P\xe5C\xd9\xe0\xf2\xc1\x19\xb9\x86\xbcc#")%r(RTSPRequest,52,"\xe7\xac!
> SF:i\xfb\x7f\x83\x07\x1d\xe1\xc54\xcf\x87\xf6\xb7\x15\x936\xa6\xed4\xe1-\x
> SF:df\xf3\x1f\x1f\x16\xc7\xb6\xb5A\xd5\n\x9e\xdf\x87\xcc\xd5\xb5\xdf\xa0\x
> SF:089\xc3\xa2\x02nWd\xb4\xf8\)\x7f\+\xad\xbb\x88S%\xd4!\x1a\xd9A\xa2\xcbw
> SF:\x15{\xbfH\x977\x8e\xf7F\xfa\xc7=\xa1")%r(RPCCheck,5D,"\xdc\xae!i\x8f\x
> SF:7f\x83\x07U\xc0\x9d\xdb\xe1\xc8\xef\xea3J\nT\xbe\xe9\xd9\x16\xd8\xe5Q\x
> SF:bb\xeb\xc6\xcf\x88Y\|\xbf\xe0\xe7\x15\xf1{\xd6;\x8e\xdbZ\x8f\x0b\x7f\|\
> SF:xaf\xd4p\x18\x8c\xc9,3\x9a\x0f\xe8\xc6\xf1k\x97{k\x17\x8b\x13\xeb\xb2\r
> SF:\x8c\x16\x1cz\xc9\xd8\xda\xa9d\xd7\xdaH\xfc\x08x\xb8c\x05\x982\x0c")%r(
> SF:DNSVersionBindReq,50,"\xd0\xa0!i\x8a\x7f\x83\x07\xb9\x1b\x8a\x8c\xedC\x
> SF:e3/\t\xc3\n\xff\xec46c\xf6\xe0\x20\xe8\xb7\x13\n%\xe4\x9eA\xad\xd2\xe4Q
> SF:\xf6!Cd\^Ir\xfa!V9\x7f\x938I\x89Zn\xbe\x9e}\x05\x84J\xb4\xc9D\x1bB!\xc5
> SF:N\x16w\x81\xc6\x85\x1e5\xabW")%r(DNSStatusRequest,3C,"\xc4\xa2!i\x86\x7
> SF:f\x83\x07\x1b\xf3N\xdfG\x03\xa9\xde\xff\x9e{k\x80\xe0\xe6\xfaH7z\x9e\xc
> SF:a\x8e\xbal\xafwz`\x87_\x06\x04\xa7\xc6\x8c\xf5\xbd\xd5\xbc\xd9J\xa4\x10
> SF:\xdfSXk\xa0\xa5\xda\xd0a")%r(Help,35,"9\xa5!i\x82\x7f\x83\x07\x8c\x0f%\
> SF:xa5\xb7\x15g\x99\xfa\xc07\x9b\xe1\x94\xdf\xf0\x8b\x20\xf8\xe6`\xb6\xf57
> SF:\x11Pkxq\xf0\xa5\xa0\xaa\xb7\xbc\x02\xc1\n:SV7!\x08\xa0")%r(SSLSessionR
> SF:eq,7F,"'\xa6!i\x9b\x7f\x83\x07\x1a2\xe8\xf9K\xa5\xfb\?\x05\x1eJ_\xa6\xb
> SF:a\x93\xf9\x8d\x20\x81\xfeH\*'\x0fb\xe1\xb3P\xaaK\xd3b\x0eUS\xe1zox\x98\
> SF:xf9\xff\x87cS5\xeb\xb1p\xa3\x20\\3\x1a\xa3X6\x06\)O\xc9\xd5\x19\xd6\xcc
> SF:\xc8\xd9h\xc9\x0c\xa8\x8e\x16\x93\xaa\xd8\xa0\xe79\x05\xb7\x0f\x01\x01~
> SF:\xee\xf0\xc3\x7fE\x80<\x99\xb0\xe6\|\x07\xe2\xec\x18\xac\?F\xe7\xea\x9d
> SF:n\x94\xd6\x02\xdfw\x04\x12>t\xf1\xf5#");
> ==============NEXT SERVICE FINGERPRINT (SUBMIT
> INDIVIDUALLY)==============
> SF-Port1987-TCP:V=4.11%I=7%D=11/8%Time=4551E11F%P=i386-portbld-freebsd6.1%
> SF:r(NULL,8,"O\xe8\+m\xa5m\x83\x07")%r(GenericLines,37,"O\xe8\+m\xa5m\x83\
> SF:x07g\xbf\xebX\xc9!TFi\x1bkC\x03t\xfa\xf9\x16>\xc7\xbc>\\\xc4\xa9m\xd1\x
> SF:05\xd1\xf5\xb4W\xc3\x20\x16\xf6\xc0\x9c\^Kc\x18\xd2\[W\x9aT\xbc")%r(Get
> SF:Request,41,"\xd3\xef\+m\xbem\x83\x07\xac\x16\x930J\xaa\xf4\x95\xb3H\xe8
> SF:6\"\xcf\xb0hu\xb2\xdf\x0bdfo\xa7U\xa5\xf4\n;;\xb9\xf0\xbf}\x83\xa9o`\xd
> SF:0D\xe6j{\xcd{6\xae-\xe9\?\x87,\x9d`\xa5\xbd~")%r(HTTPOptions,39,"\x80\x
> SF:e1\+m\xbam\x83\x07\xa6\x16\xb0\xab\x9fa\rLnx\xfd\xac\x1bGN4\(\x03\xdc\x
> SF:db\xfc\(\xfa\$\x1d\x1c\xe03\$\x08\xc1\xaa9\xf7g\xf8\xf5\x1b_K\x99\xb5\x
> SF:03\x13\x81\xb6\xa4b\x0f")%r(RTSPRequest,52,"\xb2\xe3\+m\xb6m\x83\x07\x1
> SF:74\x85\xc2\x16\xe9\x0b@\(\x83j\x11a\[dS\x10\\\)\xba\x9a\xa65D\xf3\xbd=\
> SF:xca\xec\xc7\xd5\xfc\"G\xf1\xfe\x96\xf3\xb9\x10\xd9k\$p\xb3\x8e\xa3\xb2\
> SF:x88\x96\xa9Wh\xed\x88\x80\x83\xc5\x16\xdf\xd6\xc2\xb3\xc0\xdaL\xa36\x9a
> SF:\xbf\x07_z\xf8")%r(RPCCheck,5B,"\]\xe5\+mOm\x83\x07:}}\x8fq=LrL\x8b\xe7
> SF:\xa6\xa3\xbeRB\xc1%f\xc8\x1f\xa8\xe5\xc9Y\"\xd5\x8a\)\xa7K\x8a\xaenb\x9
> SF:0\xdcD\x11\xbbN\x10h\xa9\xde\xb9_\x1e\x94\xcd\x18wi\x16\x89%\xf3;\x03\x
> SF:8e\xa7\x9a\x18\xccJ\xfc\x1fZ\xeb0\xb3\+U\xc4\"\x20H\xd1\x0e\xfb\x10J\n"
> SF:)%r(DNSVersionBindReq,4F,"-\xe7\+mGm\x83\x07\xe9O\x08\xffw\x01\x0b\x8b4
> SF:ENH\xb4\xd7\xcdxn\x9f\nHXM\x83\xb8Y\x0b\xe4\xec\x88,M\xcd\x03\xbf\x12\x
> SF:13f\xc1`R\xd2\x1a%\x89\xdac\"\xd2t\]\]\xe7\x93\xce\xbb\x92\n1\x93\xdd\x
> SF:e0I\xeb\xf8\xefc\xa6\x0e\xa6\.\xd2")%r(DNSStatusRequest,3B,"=\xf9\+mCm\
> SF:x83\x07bF4\xd0\xae@\x17\xd7\xfe\xe0\xdeH\x96i\xb8i7\xc4\xdd\x1a\xabFw\x
> SF:d1\xb9\xe7\x8c\xde\r\x83\xcc\xe0\x1a\x01\xf0}\xe5\x07\xe8\xb8\x1d{\xb7\
> SF:xfcpG\xda\.\0\xcf\xb7")%r(Help,35,"\x94\xfd\+m_m\x83\x07d\x91\x1bC\xbbe
> SF:2\xbc'\xec\xc1x7\xb1_\xabqW#V\xf3eT\xca{\xaf\xf1\x82\xb7\x14\xe6\xc8m\t
> SF:\xd5\x01\xb3\[\xed\x07\)\xd6\xbf\xff\x92")%r(SSLSessionReq,80,"\xbb\xfe
> SF:\+mYm\x83\x07b\x8d\xed\xa4\xa58n\xeeX\x85\x89\xba\xd3\xca\xb1c\(v\x0c\x
> SF:81;\x05\x19\xc7\xb9\*\x1fk\xe5\|s\x95\x1em\xa6\t\x95\x95\x10\xbe9\xf9a\
> SF:xa2\x1bi\xf8\xb8S#MK:\xff\xca\xa6\xbe\x14\xb3k\x92\x98\xf0\x1d\xa1\x9dy
> SF:&\x1a\+\x08\xbd\x16\xea\x84\xd8\xbc\xf9\xe3d\xb2mE\x82K\x80\x94\x1eA\xa
> SF:a\x07\xa4\xf3\xe1\xed\xe1}\x0b\.\xfb\xd1\x93;\xad\xb5\xaf\xcf\xbf\xdd\*
> SF:\^f\x96\xfd\xed\xc7r\x9c\xc8\x12");
> Device type: general purpose
> Running: Linux 2.4.X|2.5.X|2.6.X
> OS details: Linux 2.4.7 - 2.6.11
> Uptime 15.619 days (since Mon Oct 23 20:02:54 2006)
> Service Info: OS: Windows
>
> Nmap finished: 1 IP address (1 host up) scanned in
> 147.359 seconds
>
> Achei estranho estas portas 987 e 1987
>
> Alguem tem uma ideia o que pode esta ocorrendo e esta
> tudo normal ?
>
> Cristina
>
>
>
>
>
> _______________________________________________________
> Novidade no Yahoo! Mail: receba alertas de novas mensagens no seu celular. Registre seu aparelho agora!
> http://br.mobile.yahoo.com/mailalertas/
>
>
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>

Cristina,

Segundo /etc/services...

tr-rsrb-p1      1987/tcp   #cisco RSRB Priority 1 port

-- 
Celso Vianna
BSD User: 51318
http://www.bsdcounter.org

63 8404-8559
Palmas/TO


Mais detalhes sobre a lista de discussão freebsd