Strange Nmap output from domain

RaellicSystems · 2013-02-11 13:30:16 UTC

Does this look normal to anyone? I don’t think so, but I thought I’d ask. It’s the nmap output for our company’s domain name, www.raellic.com which is on a static IP.

[quote]
Last login: Mon Feb 11 05:12:25 on ttys000
Andrews-iMac:~ wattersa$ nmap www.raellic.com

Starting Nmap 6.25 ( http://nmap.org ) at 2013-02-11 05:18 PST
Nmap scan report for www.raellic.com (173.236.255.68)
Host is up (0.034s latency).
rDNS record for 173.236.255.68: raellic.com
Not shown: 517 filtered ports, 478 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
5269/tcp open xmpp-server
8080/tcp open http-proxy

Nmap done: 1 IP address (1 host up) scanned in 15.14 seconds
Andrews-iMac:~ wattersa$[/quote]

That’s from my (director of co.) workstation. We never opened a Jabber port (no. 5269 – xmpp-server) and there’s no reason it should be running an HTTP proxy on 8080. And of course, 517 filtered ports should be closed, not filtered.

From the server itself after ssh’ing into it, it’s even stranger:

[quote][ps34605]$ nmap www.raellic.com

Starting Nmap 5.21 ( http://nmap.org ) at 2013-02-11 05:21 PST
Nmap scan report for www.raellic.com (173.236.255.68)
Host is up (0.00072s latency).
rDNS record for 173.236.255.68: raellic.com
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
111/tcp open rpcbind
443/tcp open https
5269/tcp open unknown
5666/tcp filtered nrpe

Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds
[ps34605]$ nmap 127.0.0.1

Starting Nmap 5.21 ( http://nmap.org ) at 2013-02-11 05:21 PST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00074s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
587/tcp open submission
5269/tcp open unknown
5555/tcp open freeciv
5666/tcp filtered nrpe

Nmap done: 1 IP address (1 host up) scanned in 1.37 seconds
[ps34605]$[/quote]

WTF. Granted, these are different versions of nmap, but they seem to show the same thing. Somehow, our company’s web server is running ports we never opened. The scan of 127.0.0.1 from the server itself is concerning because port 5555 (freeciv) is something I recognize from somewhere else.

Anyone have any insight into these strange scans? What does your own domain scan look like? What does our domain scanned from your system look like?

Dreamhost support is nowhere to be found on this, by the way. Otherwise we’re happy with the service and I personally have been a longtime customer.

Andrew_F · 2013-02-11 17:39:08 UTC

I just took a look at your VPS, and here’s what I determined:

[list]
[] Port 5269 is, indeed, an XMPP (Jabber) server. Let Support know if you aren’t using this and want it to be turned off.
[] Port 8080 wasn’t open when I looked.
[] I’m not sure what led to the “517 filtered ports” you saw. Some of them are definitely filtered by our firewalls, but I don’t think that many are.
[] Ports 5555 through 5559 are used internally by Jabber. They didn’t show up on your first scan because they’re only open on 127.0.0.1 (and, thus, not exposed to the outside world).
[*] Port 5666 is used by some of our internal monitoring software (Nagios). It is also not exposed to the outside world.
[/list]

RaellicSystems · 2013-02-11 17:55:22 UTC

Thanks, that’s helpful.

Support has several open inquiries from me over the last month. My latest one is a doozie if you want to check it out.