Have I been hacked or is nmap wrong?

Kilian Hagemann hagemann1 at egs.uct.ac.za
Tue Jan 17 09:07:12 PST 2006

Hi there,

I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the 
other 5.3-STABLE, both not having been updated since I installed from ISO 
images. They both have custom ipfw firewalls that are dropping pretty much 
everything that's not supposed to come in.

All was fine and dandy until one day I noticed that when I nmap'ed them from 
the outside, the one shows

The 1663 ports scanned but not shown below are in state: filtered)
80/tcp   open  http
554/tcp  open  rtsp
1755/tcp open  wms
5190/tcp open  aol

and the other the same without the http bit. When I nmap them from the only 
address that they allow ssh&rsync access from (my public IP at work), nmap 
says that ftp, smtp and irc(port 6668) are open.

Even though I have sendmail_enable="none" in my rc.conf I still get some 
sendmail entries in my syslog so that might explain the open smtp port, but 
the others are DEFINITELY NOT supposed to be open.

I haven't noticed anything different on the servers themselves and neither can 
I detect these open ports on the machine itself (using lsof -i :1-65535 or 
netstat). I also haven't noticed any abnormal traffic volumes originating 
from them.

So, have I been hacked and rootkitted? Or is nmap simply lying to me?

I've been subscribed to freebsd-announce and thus seen all SA's to date, but 
none of them are relevant to any of my setups.

Kilian Hagemann

Climate Systems Analysis Group
University of Cape Town
Republic of South Africa
Tel(w): ++27 21 650 2748

More information about the freebsd-questions mailing list