Have I been hacked or is nmap wrong?
ken at abbott.allenmyland.com
Tue Jan 17 09:48:41 PST 2006
On Tue, Jan 17, 2006 at 07:07:17PM +0200, Kilian Hagemann wrote:
> Hi there,
> I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the
> other 5.3-STABLE, both not having been updated since I installed from ISO
> images. They both have custom ipfw firewalls that are dropping pretty much
> everything that's not supposed to come in.
> All was fine and dandy until one day I noticed that when I nmap'ed them from
> the outside, the one shows
> The 1663 ports scanned but not shown below are in state: filtered)
> PORT STATE SERVICE
> 80/tcp open http
> 554/tcp open rtsp
> 1755/tcp open wms
> 5190/tcp open aol
> and the other the same without the http bit. When I nmap them from the only
> address that they allow ssh&rsync access from (my public IP at work), nmap
> says that ftp, smtp and irc(port 6668) are open.
> Even though I have sendmail_enable="none" in my rc.conf I still get some
> sendmail entries in my syslog so that might explain the open smtp port, but
> the others are DEFINITELY NOT supposed to be open.
> I haven't noticed anything different on the servers themselves and neither can
> I detect these open ports on the machine itself (using lsof -i :1-65535 or
> netstat). I also haven't noticed any abnormal traffic volumes originating
> from them.
> So, have I been hacked and rootkitted? Or is nmap simply lying to me?
> I've been subscribed to freebsd-announce and thus seen all SA's to date, but
> none of them are relevant to any of my setups.
Run sockstat -4l and see what commands are listening on the ports in
More information about the freebsd-questions