Folks, have a weird one, need your expert help. For one of our heavily used external facing server which came up in an audit, nmap -Pn scan shows the following:
Starting Nmap 5.51 ...
Host pub.ip is up (0.0032s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
113/tcp closed auth
119/tcp open nntp
8008/tcp open http
8010/tcp open xmpp
Now this is a public FTP/SFTP server and netstat /lsof on the physical host confirms that only port 21 (ftp), 22 (ssh) and 25 (internal smtp) are listening.
ASA FW config shows that it only allows NAT from pub ip to the internal IP on ftp / ssh:
static (dmz3,pub1) pub.ip internalftp.ip netmask 255.255.255.255
access-list pub1_access_in extended permit tcp any host pub.ip eq ftp
access-list pub1_access_in extended permit tcp any host pub.ip eq ssh
Thats it. No entries for 8010 or port 8008 in the entire FW config.
But here is the confusing part:
When I try to open a socket (using telnet) on port 8008, I do get a socket and when I type HEAD / or GET /, I get the following redirect to secure port 8010:
HTTP/1.1 302 Found
Location: https://:8010
Connection: close
Connection to host lost.
I am able to open a socket on port 8010 as well but yields nothing, nothing thru the browser or wireshark.
Gets interesting, on the physical ftp/sftp server, a quick
#tcpdump -nni eth0 port 80 or port 8008 or port 8010
yields no traffic when I get a socket on my client. So def. the connection is being established somewhere else.
So here comes – What is list on the socket / est the connection on the server side !?
One forum/thread suggested a possible smart router/fw in the mix trying to spoof/mislead a hacker. True !?
Either way, how to go about finding exactly where the connection is getting established.
ps: I only have read priv on the ASA side. So will not be able to run any troubleshooting there. Will have to pass it on ASA/NW admin.
Thank you in advance for your time and valued help.
Output of "netstat -taulpn | grep LISTEN" as requested :
tcp 0 0 10.x.x.x:427 0.0.0.0:* LISTEN 3779/slpd
tcp 0 0 127.0.0.1:427 0.0.0.0:* LISTEN 3779/slpd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3843/portmap
tcp 0 0 127.0.0.1:2544 0.0.0.0:* LISTEN 4081/zmd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 4042/xinetd
tcp 0 0 10.x.x.x:22 0.0.0.0:* LISTEN 4190/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4282/master
tcp 0 0 ::1:25 :::* LISTEN 4282/master
Update: Sorry folks, further troubleshooting each of the hops, the above is only true when we scan the external IP from our internal n/w. So we were not truly going out. On my way out the internal interface of our edge router routes it directly to the ASA. And turns out this internal interface is listening on these ports, which we are not sure why. Nothing in its config and we have raised the question with the provider. Maybe a default Cisco 7200 behavior.
So the real test using a DSL line reveals only port 21/22 open on the outside. And doing a scan on the edge router (external interface) shows no ports open.
So we are ok for now. Still need to figure out "why" from inside. Will post one last update after we find out.
Thanks every one. Value your time and help.
Best Answer
I would check the output of
to see which interface the listeners are on for 8008 and 8080. It is possible they are only listening on the loopback interface, in which case the traffic would have to be initiated from localhost.