From owner-freebsd-questions@FreeBSD.ORG Wed Jan 18 12:34:53 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7DC2316A41F for ; Wed, 18 Jan 2006 12:34:53 +0000 (GMT) (envelope-from ken@abbott.allenmyland.com) Received: from sccrmhc14.comcast.net (sccrmhc14.comcast.net [63.240.77.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0FE6C43D45 for ; Wed, 18 Jan 2006 12:34:52 +0000 (GMT) (envelope-from ken@abbott.allenmyland.com) Received: from abbott.allenmyland.com ([68.81.206.140]) by comcast.net (sccrmhc14) with ESMTP id <2006011812345101400f2la7e>; Wed, 18 Jan 2006 12:34:52 +0000 Received: by abbott.allenmyland.com (Postfix, from userid 1001) id B9F7B17024; Wed, 18 Jan 2006 07:34:51 -0500 (EST) Date: Wed, 18 Jan 2006 07:34:51 -0500 From: Ken Stevenson To: Kilian Hagemann Message-ID: <20060118123451.GA69630@abbott.allenmyland.com> Mail-Followup-To: Kilian Hagemann , freebsd-questions@freebsd.org References: <200601171907.17831.hagemann1@egs.uct.ac.za> <078501c61b8b$478265d0$4df24243@tsgincorporated.com> <200601181129.38634.hagemann1@egs.uct.ac.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200601181129.38634.hagemann1@egs.uct.ac.za> User-Agent: Mutt/1.4.2.1i Cc: freebsd-questions@freebsd.org Subject: Re: Have I been hacked or is nmap wrong? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 12:34:53 -0000 On Wed, Jan 18, 2006 at 11:29:38AM +0200, Kilian Hagemann wrote: > On Tuesday 17 January 2006 19:27, Micheal Patterson pondered: > > > The 1663 ports scanned but not shown below are in state: filtered) > > > PORT STATE SERVICE > > > 80/tcp open http > > > 554/tcp open rtsp > > > 1755/tcp open wms > > > 5190/tcp open aol > > > > Kilian, what does a sockstat show you on those systems and are there any > > nats on either of these systems that would have a redirect_address to > > something behind them? > > sockstat -4l only shows up the processes serving the LAN (dnsmasq, samba) as > well as sshd: > USER COMMAND PID FD PROTOLOCAL ADDRESS FOREIGN ADDRESS > root smbd 484 18 tcp4 192.168.133.1:445 *:* > root smbd 484 19 tcp4 192.168.133.1:139 *:* > root nmbd 480 6 udp4 *:137 *:* > root nmbd 480 7 udp4 *:138 *:* > root nmbd 480 8 udp4 192.168.133.1:137 *:* > root nmbd 480 9 udp4 192.168.133.1:138 *:* > nobody dnsmasq 458 1 udp4 *:56212 *:* > nobody dnsmasq 458 3 udp4 *:53 *:* > nobody dnsmasq 458 4 tcp4 *:53 *:* > nobody dnsmasq 458 5 udp4 *:67 *:* > root sshd 432 3 tcp4 *:22 *:* > root syslogd 311 4 udp4 *:514 *:* > > So nothing suspect at all here. Yes, the systems are natted(with above system > LAN on 192.168.133.0/24), using ppp -nat. I have no specific redirects set > up, and only a "allow tcp/udp from LAN to WAN/any setup keep-state" dynamic > rule, but that should be unrelated. > > If my server is not compromised, how the heck could an http/rtsp/wms/aol > redirect sneak in there without me explicitly enabling it? > Is there any chance you have a router that's forwarding the ports in question to another computer? -- Ken Stevenson Allen-Myland Inc.