Date: Tue, 17 Jan 2006 12:42:28 -0500 From: Ken Stevenson <ken@abbott.allenmyland.com> To: Kilian Hagemann <hagemann1@egs.uct.ac.za> Cc: freebsd-questions@freebsd.org Subject: Re: Have I been hacked or is nmap wrong? Message-ID: <20060117174228.GA58750@abbott.allenmyland.com> In-Reply-To: <200601171907.17831.hagemann1@egs.uct.ac.za> References: <200601171907.17831.hagemann1@egs.uct.ac.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 17, 2006 at 07:07:17PM +0200, Kilian Hagemann wrote: > Hi there, > > I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the > other 5.3-STABLE, both not having been updated since I installed from ISO > images. They both have custom ipfw firewalls that are dropping pretty much > everything that's not supposed to come in. > > All was fine and dandy until one day I noticed that when I nmap'ed them from > the outside, the one shows > > The 1663 ports scanned but not shown below are in state: filtered) > PORT STATE SERVICE > 80/tcp open http > 554/tcp open rtsp > 1755/tcp open wms > 5190/tcp open aol > > and the other the same without the http bit. When I nmap them from the only > address that they allow ssh&rsync access from (my public IP at work), nmap > says that ftp, smtp and irc(port 6668) are open. > > Even though I have sendmail_enable="none" in my rc.conf I still get some > sendmail entries in my syslog so that might explain the open smtp port, but > the others are DEFINITELY NOT supposed to be open. > > I haven't noticed anything different on the servers themselves and neither can > I detect these open ports on the machine itself (using lsof -i :1-65535 or > netstat). I also haven't noticed any abnormal traffic volumes originating > from them. > > So, have I been hacked and rootkitted? Or is nmap simply lying to me? > > I've been subscribed to freebsd-announce and thus seen all SA's to date, but > none of them are relevant to any of my setups. > Run sockstat -4l and see what commands are listening on the ports in question. -- Ken Stevenson Allen-Myland Inc.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060117174228.GA58750>