Have I been hacked or is nmap wrong?
hagemann1 at egs.uct.ac.za
Tue Jan 17 09:07:12 PST 2006
I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the
other 5.3-STABLE, both not having been updated since I installed from ISO
images. They both have custom ipfw firewalls that are dropping pretty much
everything that's not supposed to come in.
All was fine and dandy until one day I noticed that when I nmap'ed them from
the outside, the one shows
The 1663 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
80/tcp open http
554/tcp open rtsp
1755/tcp open wms
5190/tcp open aol
and the other the same without the http bit. When I nmap them from the only
address that they allow ssh&rsync access from (my public IP at work), nmap
says that ftp, smtp and irc(port 6668) are open.
Even though I have sendmail_enable="none" in my rc.conf I still get some
sendmail entries in my syslog so that might explain the open smtp port, but
the others are DEFINITELY NOT supposed to be open.
I haven't noticed anything different on the servers themselves and neither can
I detect these open ports on the machine itself (using lsof -i :1-65535 or
netstat). I also haven't noticed any abnormal traffic volumes originating
So, have I been hacked and rootkitted? Or is nmap simply lying to me?
I've been subscribed to freebsd-announce and thus seen all SA's to date, but
none of them are relevant to any of my setups.
Climate Systems Analysis Group
University of Cape Town
Republic of South Africa
Tel(w): ++27 21 650 2748
More information about the freebsd-questions