Have I been hacked or is nmap wrong?
Ken Stevenson
ken at abbott.allenmyland.com
Wed Jan 18 04:34:53 PST 2006
On Wed, Jan 18, 2006 at 11:29:38AM +0200, Kilian Hagemann wrote:
> On Tuesday 17 January 2006 19:27, Micheal Patterson pondered:
> > > The 1663 ports scanned but not shown below are in state: filtered)
> > > PORT STATE SERVICE
> > > 80/tcp open http
> > > 554/tcp open rtsp
> > > 1755/tcp open wms
> > > 5190/tcp open aol
> >
> > Kilian, what does a sockstat show you on those systems and are there any
> > nats on either of these systems that would have a redirect_address to
> > something behind them?
>
> sockstat -4l only shows up the processes serving the LAN (dnsmasq, samba) as
> well as sshd:
> USER COMMAND PID FD PROTOLOCAL ADDRESS FOREIGN ADDRESS
> root smbd 484 18 tcp4 192.168.133.1:445 *:*
> root smbd 484 19 tcp4 192.168.133.1:139 *:*
> root nmbd 480 6 udp4 *:137 *:*
> root nmbd 480 7 udp4 *:138 *:*
> root nmbd 480 8 udp4 192.168.133.1:137 *:*
> root nmbd 480 9 udp4 192.168.133.1:138 *:*
> nobody dnsmasq 458 1 udp4 *:56212 *:*
> nobody dnsmasq 458 3 udp4 *:53 *:*
> nobody dnsmasq 458 4 tcp4 *:53 *:*
> nobody dnsmasq 458 5 udp4 *:67 *:*
> root sshd 432 3 tcp4 *:22 *:*
> root syslogd 311 4 udp4 *:514 *:*
>
> So nothing suspect at all here. Yes, the systems are natted(with above system
> LAN on 192.168.133.0/24), using ppp -nat. I have no specific redirects set
> up, and only a "allow tcp/udp from LAN to WAN/any setup keep-state" dynamic
> rule, but that should be unrelated.
>
> If my server is not compromised, how the heck could an http/rtsp/wms/aol
> redirect sneak in there without me explicitly enabling it?
>
Is there any chance you have a router that's forwarding the ports
in question to another computer?
--
Ken Stevenson
Allen-Myland Inc.
More information about the freebsd-questions
mailing list