Help with NMAP

I'm seeing a persistent address showing up on my firewall router logs. The address is 10.98.115.9:67, and is broadcasting to 255.255.255.255. I know that this would typically signal a BOOTP service, such as a bootp server announcing itself on the network. But I can't isolate which machine it is. I have only one machine running, then turn off the standalone wireless router and the switch, but it continues to show up. I ran nmap against it, and it automatically included another, completely different, IP in the scan. It's got me baffled. Here's the output:

Ximian1 FC30-3DA9 # nmap -v -unprivilege - Pn 10.98.115.9

Starting Nmap 6.00 at 2013-04-01 18:03 PDT
Invalid target host specification: -
Initiating Ping Scan at 18:03
Scanning 2 hosts [2 ports/host]
Completed Ping Scan at 18:03, 2.35s elapsed (2 total hosts)
Initiating Parallel DNS resolution of 2 hosts. at 18:03
Completed Parallel DNS resolution of 2 hosts. at 18:03, 0.04s elapsed
Nmap scan report for 10.98.115.9 [host down]
Initiating Connect Scan at 18:03
Scanning Pn (80.68.93.100) [1000 ports]
Discovered open port 587/tcp on 80.68.93.100
Discovered open port 25/tcp on 80.68.93.100
Discovered open port 110/tcp on 80.68.93.100
Discovered open port 22/tcp on 80.68.93.100
Discovered open port 995/tcp on 80.68.93.100
Discovered open port 53/tcp on 80.68.93.100
Discovered open port 21/tcp on 80.68.93.100
Discovered open port 80/tcp on 80.68.93.100
Completed Connect Scan at 18:04, 16.47s elapsed (1000 total ports)
Nmap scan report for Pn (80.68.93.100)
Host is up (0.17s latency).
rDNS record for 80.68.93.100: tedside.pitcairn.net.pn
Not shown: 988 closed ports
PORT    STATE    SERVICE
21/tcp  open     ftp
22/tcp  open     ssh
25/tcp  open     smtp
53/tcp  open     domain
80/tcp  open     http
110/tcp open     pop3
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
587/tcp open     submission
593/tcp filtered http-rpc-epmap
995/tcp open     pop3s

Read data files from: /usr/bin/../share/nmap
Nmap done: 2 IP addresses (1 host up) scanned in 18.90 seconds

Can anyone shed light on this behavior?

PS. it's not a one-off thing, I ran it several times and every time it did the same.

have you checked a lsof -i to see which application might be using this address?

Thanks for the suggestion. I ran it but didn't see anything running at that address. Here's the output:

Ximian1 neo # lsof -i
COMMAND     PID   USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
sshd        996   root    3u  IPv4     9497      0t0  TCP *:ssh (LISTEN)
sshd        996   root    4u  IPv6     9499      0t0  TCP *:ssh (LISTEN)
smbd       1024   root   27u  IPv6     9589      0t0  TCP *:microsoft-ds (LISTEN)
smbd       1024   root   28u  IPv6     9590      0t0  TCP *:netbios-ssn (LISTEN)
smbd       1024   root   29u  IPv4     9591      0t0  TCP *:microsoft-ds (LISTEN)
smbd       1024   root   30u  IPv4     9592      0t0  TCP *:netbios-ssn (LISTEN)
cupsd      1087   root   10u  IPv6     8909      0t0  TCP ip6-localhost:ipp (LISTEN)
cupsd      1087   root   11u  IPv4     8910      0t0  TCP localhost:ipp (LISTEN)
avahi-dae  1093  avahi   13u  IPv4     9565      0t0  UDP *:mdns 
avahi-dae  1093  avahi   14u  IPv6     9566      0t0  UDP *:mdns 
avahi-dae  1093  avahi   15u  IPv4     9567      0t0  UDP *:54012 
avahi-dae  1093  avahi   16u  IPv6     9568      0t0  UDP *:52840 
dhclient   1133   root    6u  IPv4     9749      0t0  UDP *:bootpc 
dhclient   1133   root   20u  IPv4     9729      0t0  UDP *:48744 
dhclient   1133   root   21u  IPv6     9730      0t0  UDP *:6551 
dnsmasq    1166 nobody    4u  IPv4     9820      0t0  UDP Ximian1:domain 
dnsmasq    1166 nobody    5u  IPv4     9821      0t0  TCP Ximian1:domain (LISTEN)
nmbd       1468   root    9u  IPv4     9143      0t0  UDP *:netbios-ns 
nmbd       1468   root   10u  IPv4     9144      0t0  UDP *:netbios-dgm 
nmbd       1468   root   11u  IPv4     9146      0t0  UDP Ximian1.local:netbios-ns 
nmbd       1468   root   12u  IPv4     9147      0t0  UDP 10.0.0.255:netbios-ns 
nmbd       1468   root   13u  IPv4     9148      0t0  UDP Ximian1.local:netbios-dgm 
nmbd       1468   root   14u  IPv4     9149      0t0  UDP 10.0.0.255:netbios-dgm 
ntop       1688   ntop    1u  IPv4    10756      0t0  TCP *:3000 (LISTEN)
master     1805   root   12u  IPv4    10900      0t0  TCP localhost:smtp (LISTEN)
master     1805   root   13u  IPv6    10901      0t0  TCP ip6-localhost:smtp (LISTEN)
miniserv.  2007   root    6u  IPv4    11530      0t0  TCP *:9000 (LISTEN)
miniserv.  2007   root    7u  IPv4    11531      0t0  UDP *:10000 
firefox    7146    neo  108u  IPv4 32031929      0t0  TCP Ximian1.local:46317->nuq04s08-in-f25.1e100.net:https (ESTABLISHED)
firefox    7146    neo  129u  IPv4    62573      0t0  TCP Ximian1.local:55370->nuq04s07-in-f21.1e100.net:https (ESTABLISHED)
firefox    7146    neo  196u  IPv4 32030638      0t0  TCP Ximian1.local:54106->ec2-184-73-124-237.compute-1.amazonaws.com:http (ESTABLISHED)
vsftpd    13225   root    3u  IPv4 32237311      0t0  TCP *:ftp (LISTEN)

some service/application must be responsible for the connection. try to stop the services (i would start with smbd/nmbd) one by one and check again...

1 Like