Have I been hacked or is nmap wrong?
Kilian Hagemann
hagemann1 at egs.uct.ac.za
Tue Jan 17 09:07:12 PST 2006
Hi there,
I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the
other 5.3-STABLE, both not having been updated since I installed from ISO
images. They both have custom ipfw firewalls that are dropping pretty much
everything that's not supposed to come in.
All was fine and dandy until one day I noticed that when I nmap'ed them from
the outside, the one shows
The 1663 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
80/tcp open http
554/tcp open rtsp
1755/tcp open wms
5190/tcp open aol
and the other the same without the http bit. When I nmap them from the only
address that they allow ssh&rsync access from (my public IP at work), nmap
says that ftp, smtp and irc(port 6668) are open.
Even though I have sendmail_enable="none" in my rc.conf I still get some
sendmail entries in my syslog so that might explain the open smtp port, but
the others are DEFINITELY NOT supposed to be open.
I haven't noticed anything different on the servers themselves and neither can
I detect these open ports on the machine itself (using lsof -i :1-65535 or
netstat). I also haven't noticed any abnormal traffic volumes originating
from them.
So, have I been hacked and rootkitted? Or is nmap simply lying to me?
I've been subscribed to freebsd-announce and thus seen all SA's to date, but
none of them are relevant to any of my setups.
--
Kilian Hagemann
Climate Systems Analysis Group
University of Cape Town
Republic of South Africa
Tel(w): ++27 21 650 2748
More information about the freebsd-questions
mailing list