Does this look normal to anyone? I don’t think so, but I thought I’d ask. It’s the nmap output for our company’s domain name, www.raellic.com which is on a static IP.
[quote]
Last login: Mon Feb 11 05:12:25 on ttys000
Andrews-iMac:~ wattersa$ nmap www.raellic.com
Starting Nmap 6.25 ( http://nmap.org ) at 2013-02-11 05:18 PST
Nmap scan report for www.raellic.com (173.236.255.68)
Host is up (0.034s latency).
rDNS record for 173.236.255.68: raellic.com
Not shown: 517 filtered ports, 478 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
5269/tcp open xmpp-server
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 15.14 seconds
Andrews-iMac:~ wattersa$[/quote]
That’s from my (director of co.) workstation. We never opened a Jabber port (no. 5269 – xmpp-server) and there’s no reason it should be running an HTTP proxy on 8080. And of course, 517 filtered ports should be closed, not filtered.
From the server itself after ssh’ing into it, it’s even stranger:
[quote][ps34605]$ nmap www.raellic.com
Starting Nmap 5.21 ( http://nmap.org ) at 2013-02-11 05:21 PST
Nmap scan report for www.raellic.com (173.236.255.68)
Host is up (0.00072s latency).
rDNS record for 173.236.255.68: raellic.com
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
5269/tcp open unknown
5666/tcp filtered nrpe
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds
[ps34605]$ nmap 127.0.0.1
Starting Nmap 5.21 ( http://nmap.org ) at 2013-02-11 05:21 PST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00074s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
587/tcp open submission
5269/tcp open unknown
5555/tcp open freeciv
5666/tcp filtered nrpe
Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds
[ps34605]$[/quote]
WTF. Granted, these are different versions of nmap, but they seem to show the same thing. Somehow, our company’s web server is running ports we never opened. The scan of 127.0.0.1 from the server itself is concerning because port 5555 (freeciv) is something I recognize from somewhere else.
Anyone have any insight into these strange scans? What does your own domain scan look like? What does our domain scanned from your system look like?
Dreamhost support is nowhere to be found on this, by the way. Otherwise we’re happy with the service and I personally have been a longtime customer.