nmap shows opened port but netstat doesn't
If I scan my server with nmap, it shows that 21 port is opened. But when I login into this server and run netstat, I see nothing.
$ nmap -sT server Starting Nmap 4.76 ( http://nmap.org ) at 2009-06-24 11:54 MSD Interesting ports on server (x.x.x.x): Not shown: 994 filtered ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh ... Nmap done: 1 IP address (1 host up) scanned in 7.97 seconds
$ netstat --listen --tcp --numeric
How can it be? Can it be a security issue?
UPD: tcpdump output while connecting with nmap
13:13:02.982805 IP 10.19.10.2.51983 > server.ftp: S 767068541:767068541(0) win 5840 13:13:04.096705 IP 10.19.10.2.52000 > server.ftp: S 792080356:792080356(0) win 5840 13:13:04.131169 IP server.ftp > 10.19.10.2.52000: S 3312178661:3312178661(0) ack 792080357 win 32768 13:13:04.131346 IP 10.19.10.2.52000 > server.ftp: . ack 1 win 46 13:13:04.131737 IP 10.19.10.2.52000 > server.ftp: R 1:1(0) ack 1 win 46
Solution 1:
Are you on the same segment as the server in question? Portscanning via routers can give bogus results.
Solution 2:
As previously mentioned, I'm posting here to re-itterate; this is common if you're nmap'ing from behind a NAT'd router. Are you running NMAP from behind your home ADSL or Cable modem. I see this all the time with my Apple TimeCapsule. It can give you a shock the first time you see it :)
Andrew
Solution 3:
From tcpdump, it is showing clearly that someone is responding. To your requests.
Can you try:
- FTP'ing directly to the box? See what it happens?
- If you have a NAT in the middle, it might be redirecting to another box.
- Can you run tcpdump on the destination machine itself? See if any packet is getting through.
Plus, try nc -l tcp 21 to see if you can listen on the port 21. If you can't and nothing is showing up on netstat, you might be compromised. Try rootcheck to see if it finds something (since chkrootkit didn't found any: http://www.ossec.net/rootcheck ).
Solution 4:
Look at this answer:
Turning off FTP