From owner-freebsd-questions  Thu Apr  4  8:35: 4 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from smnolde.com (c-24-98-60-141.atl.client2.attbi.com [24.98.60.141])
	by hub.freebsd.org (Postfix) with ESMTP id 8088B37B41A
	for <questions@freebsd.org>; Thu,  4 Apr 2002 08:35:00 -0800 (PST)
Received: from bsd ([192.168.10.7] helo=bsd.smnolde.com)
	by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168)
	(Exim 3.30 #1)
	id 16tACN-0002vw-00; Thu, 04 Apr 2002 11:34:55 -0500
Received: from scott by bsd.smnolde.com with local (Exim 3.33 #1)
	id 16tACM-0005fl-00; Thu, 04 Apr 2002 11:34:54 -0500
Date: Thu, 4 Apr 2002 11:34:54 -0500
From: "Scott M. Nolde" <scott@smnolde.com>
To: Mike Dewhirst <Dewhirst.M@UCLES.org.uk>
Cc: "'questions@freebsd.org'" <questions@freebsd.org>
Subject: Re: have I been hacked?!
Message-ID: <20020404113454.A21519@smnolde.com>
References: <0B0368CED76DD4118E1200D0B73E9B5D041E9FA5@MAIL1>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <0B0368CED76DD4118E1200D0B73E9B5D041E9FA5@MAIL1>; from Dewhirst.M@UCLES.org.uk on Thu, Apr 04, 2002 at 05:13:15PM +0100
X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8  33F2 BC34 9087 D869 AB48
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Mike Dewhirst(Dewhirst.M@UCLES.org.uk)@2002.04.04 17:13:15 +0000:
> I did a netscan of my box (which I;ve not done for 2-3 months or so) and
> spotted this:
> 
> 1505/tcp   open        funkproxy
> 4008/tcp   open        netcheque
> 
> I've never heard of either.
> 
> Has the system been compromised?
> 
> Any help would be extremely appreciated.
> 
> Mike
> 

Making the wild assumption you haven't been hacked, I'd suggest you try
sockstat | grep -E "1505|4008" to see who owns the processess using those
sockets.

From there you kill the processes (if shown) and perhaps even firewall
those ports from communicating to the inet.

-- 
Scott Nolde
GPG Key 0xD869AB48

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message