From owner-freebsd-questions@FreeBSD.ORG Wed Jan 18 00:22:43 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B3AC716A41F for ; Wed, 18 Jan 2006 00:22:43 +0000 (GMT) (envelope-from micheal@tsgincorporated.com) Received: from smtpgate.tsgincorporated.com (ns1.tsgincorporated.com [67.66.242.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8497843D75 for ; Wed, 18 Jan 2006 00:22:34 +0000 (GMT) (envelope-from micheal@tsgincorporated.com) Received: from localhost (localhost.tsgincorporated.com [127.0.0.1]) by smtpgate.tsgincorporated.com (Postfix) with ESMTP id C27DE3A73A2; Tue, 17 Jan 2006 11:27:24 -0600 (CST) Received: from smtpgate.tsgincorporated.com ([127.0.0.1]) by localhost (smtpgate.tsgincorporated.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 89075-07; Tue, 17 Jan 2006 11:27:24 -0600 (CST) Received: from mail.tsgincorporated.com (lanmail.tsgincorporated.com [67.66.242.29]) by smtpgate.tsgincorporated.com (Postfix) with ESMTP id 1C1F93A739F; Tue, 17 Jan 2006 11:27:24 -0600 (CST) Received: from michealxp (michealxp.tsgincorporated.com [67.66.242.77]) by mail.tsgincorporated.com (Postfix) with SMTP id 08DCC952631; Tue, 17 Jan 2006 11:27:24 -0600 (CST) Message-ID: <078501c61b8b$478265d0$4df24243@tsgincorporated.com> From: "Micheal Patterson" To: "Kilian Hagemann" , References: <200601171907.17831.hagemann1@egs.uct.ac.za> Date: Tue, 17 Jan 2006 11:27:18 -0600 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 x-mimeole: Produced By Microsoft MimeOLE V6.00.2900.2180 X-Virus-Scanned: amavisd-new at tsgincorporated.com Cc: Subject: Re: Have I been hacked or is nmap wrong? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 00:22:43 -0000 ----- Original Message ----- From: "Kilian Hagemann" To: Sent: Tuesday, January 17, 2006 11:07 AM Subject: Have I been hacked or is nmap wrong? > Hi there, > > I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the > other 5.3-STABLE, both not having been updated since I installed from ISO > images. They both have custom ipfw firewalls that are dropping pretty much > everything that's not supposed to come in. > > All was fine and dandy until one day I noticed that when I nmap'ed them > from > the outside, the one shows > > The 1663 ports scanned but not shown below are in state: filtered) > PORT STATE SERVICE > 80/tcp open http > 554/tcp open rtsp > 1755/tcp open wms > 5190/tcp open aol > Kilian, what does a sockstat show you on those systems and are there any nats on either of these systems that would have a redirect_address to something behind them? -- Micheal Patterson