5

My local network has been exhibiting some inexplicable behaviour.

Firstly connecting to my websites domain name from inside the lan redirected me to my router's login page. I checked again with 3g and found that it didn't happen from outside the network. This has never happened before and has not happened since.

I was worried the page was being spoofed so I didn't submit any data. A traceroute took me straight to my wan ip, with no stop at 192.168.1.1.

EDIT: I believe I have resolved this aspect. I have a dynamic IP address so if it changes (due to power outage or such), I think it takes time for my DynDNS service to be updated. Though this is handled by the router and why it doesn't do this on boot I don't know. Might have to make my own updater.

Further, and Nmap scan of 0.0.0.0 revealed this:

$ nmap 0.0.0.0\
\
Starting Nmap 6.47 ( http://nmap.org ) at 2016-02-03 18:14 GMT\
Nmap scan report for 0.0.0.0\
Host is up (0.00075s latency).\
Not shown: 970 closed ports\
PORT      STATE    SERVICE\
22/tcp    open     ssh\
80/tcp    open     http\
83/tcp    filtered mit-ml-dev\
88/tcp    open     kerberos-sec\
139/tcp   open     netbios-ssn\
280/tcp   filtered http-mgmt\
445/tcp   open     microsoft-ds\
631/tcp   open     ipp\
1045/tcp  filtered fpitp\
1072/tcp  filtered cardax\
1081/tcp  filtered pvuniwien\
1175/tcp  filtered dossier\
1187/tcp  filtered alias\
1594/tcp  filtered sixtrak\
1658/tcp  filtered sixnetudr\
1755/tcp  filtered wms\
2222/tcp  filtered EtherNet/IP-1\
2381/tcp  filtered compaq-https\
2393/tcp  filtered ms-olap1\
3527/tcp  filtered beserver-msg-q\
3737/tcp  filtered xpanel\
4003/tcp  filtered pxc-splr-ft\
5102/tcp  filtered admeng\
5678/tcp  filtered rrac\
5900/tcp  open     vnc\
6025/tcp  filtered x11\
6646/tcp  filtered unknown\
9001/tcp  filtered tor-orport\
9666/tcp  filtered unknown\
55600/tcp filtered unknown\
\
Nmap done: 1 IP address (1 host up) scanned in 6.46 seconds\

I repeated a scan for each machine on the lan and found nothing, netcat was no more forthcoming. I could not find these ports anywhere. Since then the same Nmap scan returns has stopped throwing out these results.

I am worried there may be something nefarious going on...could anyone offer an alternative explaination of this behaviour? I'm not well versed on Nmap.

xeuari
  • 51
  • 3
  • 1
    Maybe your dns settings are messed up? – Neil Smithline Feb 04 '16 at 16:28
  • 1
    A URL being wrongly redirected points to DNS. Have you checked your hosts file? When you used traceroute, were you tracerouting the server? Did you use the IP or the domain name? – cremefraiche Feb 05 '16 at 09:45
  • My dns is handled by a ddns service outside of my network. So I'm not sure the hosts file would be relevant, the servers host file contains only loopback IP's. And the logs for my DDNS have shown nothing far out of the ordinary. My traceroute was from within the lan, targeting the hostname of my server(also within the lan). This usually goes 192.168.1.1 -> wanIP ->done. I though it conspicious that these two phenomena were present at the same time, and stopped without intervention. The redirection may be a symptom, but if so, I can't for the life of me explain the Nmap scan. – xeuari Feb 05 '16 at 21:17
  • Your hosts file is relevant because if it has erroneous entries, they will be translated before reaching the external DNS server. If it only has a loopback, it's probably at default settings. "My traceroute was from within the lan, targeting the hostname of my server(also within the lan). This usually goes 192.168.1.1 -> wanIP ->done." So you really are relying on remote DNS to do local translation? This seems highly inefficient. – cremefraiche Feb 07 '16 at 00:50
  • 1
    with the nmap scan was your intention to scan your localhost? as that's what scanning 0.0.0.0 will do (although it's more usual to do 127.0.0.1 for that) – Rory McCune Feb 07 '16 at 18:52
  • Rory McCune: I didn't know that. Are you sure that's how nMap behaves? It can be used to target all IP's in some circumstances. If that is the case then there are services that definitely don't exist on the localhost I scanned. How can this be? How were all those services removed from my machine between scans? cremefraiche: That was a mistake. I meant domain name. – xeuari Feb 08 '16 at 06:19
  • ...and cremefraiche...Thanks for your info on the host file, didn't know that... My inefficient use of dns is just and easy way to keep an eye on my website and make sure it's not down. Not that tech, but it works. – xeuari Feb 12 '16 at 01:48
  • [filtered does not mean what you think it means](https://secwiki.org/w/FAQ_filtered) – bonsaiviking Jun 19 '17 at 23:07

2 Answers2

1

0.0.0.0 is your machine that has a lot of services sometimes non-visible by other machines. Try to scan your machine from another machine and all can be more clear.

Run netstat -plnt on your machine and you can find which processed are running on these ports.

schroeder
  • 123,438
  • 55
  • 284
  • 319
rom3ocrash
  • 25
  • 1
-1

On your case this nmap scan is scanning your own localhost which is 127.0.0.1. Due to this all the ports which are open are shown on the scan.

This may happens when the device you have scanned has most probably installed Honeypot in it.

Honeypot is a computer software that is set up to act as a decoy to lure the cyberattackers. It is used to detect, and used to study the nature and attempt of hacker to access to the information. Enabling honeypots shows large number of ports open when scanned remotely, which in turn confuses the attackers.Generally, it consists of a computer, applications, and data that simulate the behavior of a real system that appears to be part of a network but is actually isolated and closely monitored.

Here is another example of honeypot installed server: enter image description here

You can learn more about honeypot here : http://www.sans.edu/research/security-laboratory/article/honeypots-guide

Prabesh Thapa
  • 51
  • 1
  • 6
  • Thank you. I still haven't figured this one out. I built the server from a standard apache2 configuration. It isn't set up with a honeypot. The phenomena was transient and hasen't occured since. I will certainly investigate honeypot techniques though. Thanks again. – xeuari Aug 25 '16 at 18:48
  • Having a honeypot, lets a fake playground for hacker, and helps you to study his/her behaviours. Honeypot is good. regarding this, if i find something i will surely tell you – Prabesh Thapa Aug 26 '16 at 00:58
  • Wouldn't OP know if they have installed a honeypot? This seems unlikely, and the services look fairly legitimate. – multithr3at3d Mar 08 '18 at 00:44