Have I been hacked or is nmap wrong?

Ken Stevenson ken at abbott.allenmyland.com
Tue Jan 17 09:48:41 PST 2006

On Tue, Jan 17, 2006 at 07:07:17PM +0200, Kilian Hagemann wrote:
> Hi there,
> I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the 
> other 5.3-STABLE, both not having been updated since I installed from ISO 
> images. They both have custom ipfw firewalls that are dropping pretty much 
> everything that's not supposed to come in.
> All was fine and dandy until one day I noticed that when I nmap'ed them from 
> the outside, the one shows
> The 1663 ports scanned but not shown below are in state: filtered)
> 80/tcp   open  http
> 554/tcp  open  rtsp
> 1755/tcp open  wms
> 5190/tcp open  aol
> and the other the same without the http bit. When I nmap them from the only 
> address that they allow ssh&rsync access from (my public IP at work), nmap 
> says that ftp, smtp and irc(port 6668) are open.
> Even though I have sendmail_enable="none" in my rc.conf I still get some 
> sendmail entries in my syslog so that might explain the open smtp port, but 
> the others are DEFINITELY NOT supposed to be open.
> I haven't noticed anything different on the servers themselves and neither can 
> I detect these open ports on the machine itself (using lsof -i :1-65535 or 
> netstat). I also haven't noticed any abnormal traffic volumes originating 
> from them.
> So, have I been hacked and rootkitted? Or is nmap simply lying to me?
> I've been subscribed to freebsd-announce and thus seen all SA's to date, but 
> none of them are relevant to any of my setups.

Run sockstat -4l and see what commands are listening on the ports in
Ken Stevenson
Allen-Myland Inc.

More information about the freebsd-questions mailing list