From owner-freebsd-questions@FreeBSD.ORG Tue Jan 17 17:48:41 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49CFA16A423 for ; Tue, 17 Jan 2006 17:48:41 +0000 (GMT) (envelope-from ken@abbott.allenmyland.com) Received: from sccrmhc14.comcast.net (sccrmhc14.comcast.net [204.127.202.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id C405443D81 for ; Tue, 17 Jan 2006 17:48:21 +0000 (GMT) (envelope-from ken@abbott.allenmyland.com) Received: from abbott.allenmyland.com ([68.81.206.140]) by comcast.net (sccrmhc14) with ESMTP id <2006011717422901400f5bb5e>; Tue, 17 Jan 2006 17:42:29 +0000 Received: by abbott.allenmyland.com (Postfix, from userid 1001) id F0D3517024; Tue, 17 Jan 2006 12:42:28 -0500 (EST) Date: Tue, 17 Jan 2006 12:42:28 -0500 From: Ken Stevenson To: Kilian Hagemann Message-ID: <20060117174228.GA58750@abbott.allenmyland.com> Mail-Followup-To: Kilian Hagemann , freebsd-questions@freebsd.org References: <200601171907.17831.hagemann1@egs.uct.ac.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200601171907.17831.hagemann1@egs.uct.ac.za> User-Agent: Mutt/1.4.2.1i Cc: freebsd-questions@freebsd.org Subject: Re: Have I been hacked or is nmap wrong? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2006 17:48:41 -0000 On Tue, Jan 17, 2006 at 07:07:17PM +0200, Kilian Hagemann wrote: > Hi there, > > I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the > other 5.3-STABLE, both not having been updated since I installed from ISO > images. They both have custom ipfw firewalls that are dropping pretty much > everything that's not supposed to come in. > > All was fine and dandy until one day I noticed that when I nmap'ed them from > the outside, the one shows > > The 1663 ports scanned but not shown below are in state: filtered) > PORT STATE SERVICE > 80/tcp open http > 554/tcp open rtsp > 1755/tcp open wms > 5190/tcp open aol > > and the other the same without the http bit. When I nmap them from the only > address that they allow ssh&rsync access from (my public IP at work), nmap > says that ftp, smtp and irc(port 6668) are open. > > Even though I have sendmail_enable="none" in my rc.conf I still get some > sendmail entries in my syslog so that might explain the open smtp port, but > the others are DEFINITELY NOT supposed to be open. > > I haven't noticed anything different on the servers themselves and neither can > I detect these open ports on the machine itself (using lsof -i :1-65535 or > netstat). I also haven't noticed any abnormal traffic volumes originating > from them. > > So, have I been hacked and rootkitted? Or is nmap simply lying to me? > > I've been subscribed to freebsd-announce and thus seen all SA's to date, but > none of them are relevant to any of my setups. > Run sockstat -4l and see what commands are listening on the ports in question. -- Ken Stevenson Allen-Myland Inc.