I have been hacked (WAS: Have I been hacked or is nmap wrong?)

Kilian Hagemann hagemann1 at egs.uct.ac.za
Wed Jan 18 05:56:29 PST 2006

On Wednesday 18 January 2006 14:34, Ken Stevenson pondered:
> Is there any chance you have a router that's forwarding the ports
> in question to another computer?

Not that I know of. The setup is quite simple:

     wireless           ethernet(PPPoE)              ethernet
ISP<------->Modem<------>FreeBSD gateway<------->LAN

FreeBSD is my router with ppp -ddial -nat and a custom ipfw script that blocks 
all incoming connections while allowing legitimate traffic out (with 
keep-state rules).

Check this out: ftp <my_server> gives

220 Frox transparent ftp proxy. Login with username[@host[:port]]
Name (...)

I have never even heard of "frox" before, but after some googling it turns out 
that it's a GPL'ed transparent ftp proxy...

Also, I said smtp ports were open on the machines in question, I just verified 
that I can send emails via BOTH these systems even though no 
sendmail/exim/whatever was ever installed by me and sendmail_enable="None" on 

My servers have been compromised, fantastic. And that with an initial 
firewall'ed setup that left NO open ports (I verified that a while ago with 
nmap). So much for my impression that FreeBSD was secure.

How could this have happened? ipfw buffer overflow? Some other unknown 

I really wanna find out how they got in (syslog offers no clues btw, I've been 
rootkitted after all :-( Any suggestions other than 

Kilian Hagemann

Climate Systems Analysis Group
University of Cape Town
Republic of South Africa
Tel(w): ++27 21 650 2748

More information about the freebsd-questions mailing list