From owner-freebsd-questions@FreeBSD.ORG Tue Jan 17 17:07:12 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 740C016A41F for ; Tue, 17 Jan 2006 17:07:12 +0000 (GMT) (envelope-from hagemann1@egs.uct.ac.za) Received: from ctb-mesg5.saix.net (ctb-mesg5.saix.net [196.25.240.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBD4143D45 for ; Tue, 17 Jan 2006 17:07:11 +0000 (GMT) (envelope-from hagemann1@egs.uct.ac.za) Received: from [192.168.0.4] (dsl-165-22-103.telkomadsl.co.za [165.165.22.103]) by ctb-mesg5.saix.net (Postfix) with ESMTP id 3ABE3267E for ; Tue, 17 Jan 2006 19:07:05 +0200 (SAST) From: Kilian Hagemann Organization: University of Cape Town To: freebsd-questions@freebsd.org Date: Tue, 17 Jan 2006 19:07:17 +0200 User-Agent: KMail/1.8.1 MIME-Version: 1.0 Content-Disposition: inline Message-Id: <200601171907.17831.hagemann1@egs.uct.ac.za> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: Have I been hacked or is nmap wrong? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2006 17:07:12 -0000 Hi there, I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the other 5.3-STABLE, both not having been updated since I installed from ISO images. They both have custom ipfw firewalls that are dropping pretty much everything that's not supposed to come in. All was fine and dandy until one day I noticed that when I nmap'ed them from the outside, the one shows The 1663 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http 554/tcp open rtsp 1755/tcp open wms 5190/tcp open aol and the other the same without the http bit. When I nmap them from the only address that they allow ssh&rsync access from (my public IP at work), nmap says that ftp, smtp and irc(port 6668) are open. Even though I have sendmail_enable="none" in my rc.conf I still get some sendmail entries in my syslog so that might explain the open smtp port, but the others are DEFINITELY NOT supposed to be open. I haven't noticed anything different on the servers themselves and neither can I detect these open ports on the machine itself (using lsof -i :1-65535 or netstat). I also haven't noticed any abnormal traffic volumes originating from them. So, have I been hacked and rootkitted? Or is nmap simply lying to me? I've been subscribed to freebsd-announce and thus seen all SA's to date, but none of them are relevant to any of my setups. -- Kilian Hagemann Climate Systems Analysis Group University of Cape Town Republic of South Africa Tel(w): ++27 21 650 2748