Have I been hacked or is nmap wrong?
Kilian Hagemann
hagemann1 at egs.uct.ac.za
Wed Jan 18 01:29:57 PST 2006
On Tuesday 17 January 2006 19:27, Micheal Patterson pondered:
> > The 1663 ports scanned but not shown below are in state: filtered)
> > PORT STATE SERVICE
> > 80/tcp open http
> > 554/tcp open rtsp
> > 1755/tcp open wms
> > 5190/tcp open aol
>
> Kilian, what does a sockstat show you on those systems and are there any
> nats on either of these systems that would have a redirect_address to
> something behind them?
sockstat -4l only shows up the processes serving the LAN (dnsmasq, samba) as
well as sshd:
USER COMMAND PID FD PROTOLOCAL ADDRESS FOREIGN ADDRESS
root smbd 484 18 tcp4 192.168.133.1:445 *:*
root smbd 484 19 tcp4 192.168.133.1:139 *:*
root nmbd 480 6 udp4 *:137 *:*
root nmbd 480 7 udp4 *:138 *:*
root nmbd 480 8 udp4 192.168.133.1:137 *:*
root nmbd 480 9 udp4 192.168.133.1:138 *:*
nobody dnsmasq 458 1 udp4 *:56212 *:*
nobody dnsmasq 458 3 udp4 *:53 *:*
nobody dnsmasq 458 4 tcp4 *:53 *:*
nobody dnsmasq 458 5 udp4 *:67 *:*
root sshd 432 3 tcp4 *:22 *:*
root syslogd 311 4 udp4 *:514 *:*
So nothing suspect at all here. Yes, the systems are natted(with above system
LAN on 192.168.133.0/24), using ppp -nat. I have no specific redirects set
up, and only a "allow tcp/udp from LAN to WAN/any setup keep-state" dynamic
rule, but that should be unrelated.
If my server is not compromised, how the heck could an http/rtsp/wms/aol
redirect sneak in there without me explicitly enabling it?
--
Kilian Hagemann
Climate Systems Analysis Group
University of Cape Town
Republic of South Africa
Tel(w): ++27 21 650 2748
More information about the freebsd-questions
mailing list