Date: Tue, 17 Jan 2006 19:07:17 +0200 From: Kilian Hagemann <hagemann1@egs.uct.ac.za> To: freebsd-questions@freebsd.org Subject: Have I been hacked or is nmap wrong? Message-ID: <200601171907.17831.hagemann1@egs.uct.ac.za>
next in thread | raw e-mail | index | archive | help
Hi there, I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the other 5.3-STABLE, both not having been updated since I installed from ISO images. They both have custom ipfw firewalls that are dropping pretty much everything that's not supposed to come in. All was fine and dandy until one day I noticed that when I nmap'ed them from the outside, the one shows The 1663 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http 554/tcp open rtsp 1755/tcp open wms 5190/tcp open aol and the other the same without the http bit. When I nmap them from the only address that they allow ssh&rsync access from (my public IP at work), nmap says that ftp, smtp and irc(port 6668) are open. Even though I have sendmail_enable="none" in my rc.conf I still get some sendmail entries in my syslog so that might explain the open smtp port, but the others are DEFINITELY NOT supposed to be open. I haven't noticed anything different on the servers themselves and neither can I detect these open ports on the machine itself (using lsof -i :1-65535 or netstat). I also haven't noticed any abnormal traffic volumes originating from them. So, have I been hacked and rootkitted? Or is nmap simply lying to me? I've been subscribed to freebsd-announce and thus seen all SA's to date, but none of them are relevant to any of my setups. -- Kilian Hagemann Climate Systems Analysis Group University of Cape Town Republic of South Africa Tel(w): ++27 21 650 2748
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200601171907.17831.hagemann1>