Have I been hacked or is nmap wrong?

Kilian Hagemann hagemann1 at egs.uct.ac.za
Wed Jan 18 01:29:57 PST 2006


On Tuesday 17 January 2006 19:27, Micheal Patterson pondered:
> > The 1663 ports scanned but not shown below are in state: filtered)
> > PORT     STATE SERVICE
> > 80/tcp   open  http
> > 554/tcp  open  rtsp
> > 1755/tcp open  wms
> > 5190/tcp open  aol
>
> Kilian, what does a sockstat show you on those systems and are there any
> nats on either of these systems that would have a redirect_address to
> something behind them?

sockstat -4l only shows up the processes serving the LAN (dnsmasq, samba) as 
well as sshd:
USER	COMMAND	PID   FD PROTOLOCAL ADDRESS	FOREIGN ADDRESS
root		smbd       		484   18 tcp4   	192.168.133.1:445     	*:*
root     	smbd       		484   19 tcp4   	192.168.133.1:139     	*:*
root     	nmbd       		480   6  udp4   	*:137                 	*:*
root     	nmbd       		480   7  udp4   	*:138                 	*:*
root     	nmbd       		480   8  udp4   	192.168.133.1:137     	*:*
root     	nmbd       		480   9  udp4   	192.168.133.1:138     	*:*
nobody   	dnsmasq    	458   1  udp4   	*:56212               	*:*
nobody   	dnsmasq    	458   3  udp4   	*:53                  		*:*
nobody   	dnsmasq    	458   4  tcp4   	*:53                  		*:*
nobody   	dnsmasq    	458   5  udp4   	*:67                  		*:*
root     	sshd       		432   3  tcp4   	*:22                  		*:*
root     	syslogd    		311   4  udp4   	*:514                 	*:*

So nothing suspect at all here. Yes, the systems are natted(with above system 
LAN on 192.168.133.0/24), using ppp -nat. I have no specific redirects set 
up, and only a "allow tcp/udp from LAN to WAN/any setup keep-state" dynamic 
rule, but that should be unrelated.

If my server is not compromised, how the heck could an http/rtsp/wms/aol 
redirect sneak in there without me explicitly enabling it?

-- 
Kilian Hagemann

Climate Systems Analysis Group
University of Cape Town
Republic of South Africa
Tel(w): ++27 21 650 2748


More information about the freebsd-questions mailing list