Have I been hacked or is nmap wrong?
Ken Stevenson
ken at abbott.allenmyland.com
Tue Jan 17 09:48:41 PST 2006
On Tue, Jan 17, 2006 at 07:07:17PM +0200, Kilian Hagemann wrote:
> Hi there,
>
> I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the
> other 5.3-STABLE, both not having been updated since I installed from ISO
> images. They both have custom ipfw firewalls that are dropping pretty much
> everything that's not supposed to come in.
>
> All was fine and dandy until one day I noticed that when I nmap'ed them from
> the outside, the one shows
>
> The 1663 ports scanned but not shown below are in state: filtered)
> PORT STATE SERVICE
> 80/tcp open http
> 554/tcp open rtsp
> 1755/tcp open wms
> 5190/tcp open aol
>
> and the other the same without the http bit. When I nmap them from the only
> address that they allow ssh&rsync access from (my public IP at work), nmap
> says that ftp, smtp and irc(port 6668) are open.
>
> Even though I have sendmail_enable="none" in my rc.conf I still get some
> sendmail entries in my syslog so that might explain the open smtp port, but
> the others are DEFINITELY NOT supposed to be open.
>
> I haven't noticed anything different on the servers themselves and neither can
> I detect these open ports on the machine itself (using lsof -i :1-65535 or
> netstat). I also haven't noticed any abnormal traffic volumes originating
> from them.
>
> So, have I been hacked and rootkitted? Or is nmap simply lying to me?
>
> I've been subscribed to freebsd-announce and thus seen all SA's to date, but
> none of them are relevant to any of my setups.
>
Run sockstat -4l and see what commands are listening on the ports in
question.
--
Ken Stevenson
Allen-Myland Inc.
More information about the freebsd-questions
mailing list