Solved

Why don't some ports identified by Nexpose security scan appear in netstat

Posted on 2014-07-29
9
385 Views
Last Modified: 2014-08-04
I ran a Nexpose security scan against a VMware linux appliance. (vmware data protection)
ports 443 came back with 3 severe vulnerabilities, and port 22 with one.

I putty'd to the appliance, logged in as root, and ran

netstat -ap

Long list of open ports came back, but not ports 443 and 22
Ran Nexpose again and it still listed ports 443 and 22 vulnerabilities

The 443 vulnerabilities related to TLS/SSL ciphers and certificates, and openssl
port 22 was related to SSH.  Openssl and certificates are installed on the appliance so it appears to be correct.

Why don't these ports 22 and 443 appear in netstat?
0
Comment
Question by:dakota5
  • 7
  • 2
9 Comments
 
LVL 5

Expert Comment

by:Pasha Kravtsov
Comment Utility
One of the reasons could be your machine has a rootkit on it and they have hooked certain functions so that the malicious users weren't noticed. Try telnet'ing to port 22 or port 443 and see what happens.
and just double check
netstat -ap | grep 443
netstat -ap | grep 22

Open in new window

do you have a sshd service running? or a webserver such as apache?
0
 

Assisted Solution

by:dakota5
dakota5 earned 0 total points
Comment Utility
I discovered that netstat (at least the version distributed in the VMWare appliance) lists the common ports (443, 22, 80, etc)  only by the service names.

port 443 is only listed as https
port 22 is only listed as ssh.

netstat -apt | grep https
netstat -apt | grep ssh

return the expected ports.
0
 

Author Comment

by:dakota5
Comment Utility
I've requested that this question be closed as follows:

Accepted answer: 0 points for dakota5's comment #a40228281
Assisted answer: 100 points for Pasha Kravtsov's comment #a40227518

for the following reason:

the expert's solution was not actually correct.
0
 

Author Comment

by:dakota5
Comment Utility
Just wanted to soften my comment.  The expert did try, but his comment was not useful in this particular instance.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:dakota5
Comment Utility
just wanted to soften my comment.  the expert did try, but his comment was not useful in this particular instance.
0
 

Author Comment

by:dakota5
Comment Utility
I've requested that this question be closed as follows:

Accepted answer: 0 points for dakota5's comment #a40228281
Assisted answer: 100 points for Pasha Kravtsov's comment #a40227518

for the following reason:

The experts comment might be useful for other situations, but was not actually the issue in this particular instance.
0
 
LVL 5

Accepted Solution

by:
Pasha Kravtsov earned 500 total points
Comment Utility
You can see what is running on those ports by doing this command:
lsof -i :22
lsof -i :443

Open in new window

0
 

Author Comment

by:dakota5
Comment Utility
The expert's latest contribution is actually the best solution.
0
 

Author Closing Comment

by:dakota5
Comment Utility
my own contribution was first, and is an easy solution as well.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
linux crontab output 3 36
Issue with VM machine on ESXi 4.1 19 36
VMWare iSCSI Issues 7 47
Go To/Delete Snapshot 10 22
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
HOW TO: Upload an ISO image to a VMware datastore for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere Host Client, and checking its MD5 checksum signature is correct.  It's a good idea to compare checksums, because many installat…
Advanced tutorial on how to run the esxtop command to capture a batch file in csv format in order to export the file and use it for performance analysis. He demonstrates how to download the file using a vSphere web client (or vSphere client) and exp…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now