I have been hacked (WAS: Have I been hacked or is nmap wrong?)
Kilian Hagemann
hagemann1 at egs.uct.ac.za
Wed Jan 18 05:56:29 PST 2006
On Wednesday 18 January 2006 14:34, Ken Stevenson pondered:
> Is there any chance you have a router that's forwarding the ports
> in question to another computer?
Not that I know of. The setup is quite simple:
wireless ethernet(PPPoE) ethernet
ISP<------->Modem<------>FreeBSD gateway<------->LAN
FreeBSD is my router with ppp -ddial -nat and a custom ipfw script that blocks
all incoming connections while allowing legitimate traffic out (with
keep-state rules).
Check this out: ftp <my_server> gives
220 Frox transparent ftp proxy. Login with username[@host[:port]]
Name (...)
I have never even heard of "frox" before, but after some googling it turns out
that it's a GPL'ed transparent ftp proxy...
Also, I said smtp ports were open on the machines in question, I just verified
that I can send emails via BOTH these systems even though no
sendmail/exim/whatever was ever installed by me and sendmail_enable="None" on
both.
My servers have been compromised, fantastic. And that with an initial
firewall'ed setup that left NO open ports (I verified that a while ago with
nmap). So much for my impression that FreeBSD was secure.
How could this have happened? ipfw buffer overflow? Some other unknown
vulnerability?
I really wanna find out how they got in (syslog offers no clues btw, I've been
rootkitted after all :-( Any suggestions other than
format/reinstall/tripwire?
--
Kilian Hagemann
Climate Systems Analysis Group
University of Cape Town
Republic of South Africa
Tel(w): ++27 21 650 2748
More information about the freebsd-questions
mailing list