From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OBi7E-00037Z-Id for garchives@archives.gentoo.org; Tue, 11 May 2010 05:34:48 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 05E91E07BC; Tue, 11 May 2010 05:34:14 +0000 (UTC) Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53]) by pigeon.gentoo.org (Postfix) with ESMTP id B69FAE07BC for ; Tue, 11 May 2010 05:34:13 +0000 (UTC) Received: by wwb13 with SMTP id 13so1380631wwb.40 for ; Mon, 10 May 2010 22:34:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:from:reply-to:to:subject:date :user-agent:references:in-reply-to:mime-version:content-type :content-transfer-encoding:message-id; bh=0Mz5qy5qcPoBDGiTw7XH9QMkqt8GiMhAuRS9FOXEE20=; b=BTuzhlfVwTslXG2RUs3pxyY9LaDyYTfD6aEQJhiLkaN6vBOMxcImjEihhtH8Mqla7C 9mJCDJOLrYhw/UOK2bAEJ3FqbfcENrB2hmAoOHPwD9+rzAm7fqAcswcbdOJOQto2kmrb 1rGl/38dh/lVN904I5d97CE2FR/fpmn5FkZEM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; b=G7j2OxBhmiuU8ySQFmBNjROnlTqoM9mvKC+s9tZoPokxD4Y2vDQE4DID0Dbp3B4iAu vFRs2aXnW/ddVXMgks1kcrLMBYm7xAKLOd6Ri41gpc7i/5KnmPHrLSyiqRR1p9TX9Qiu Xhj6fl+GzYsFD78mxxDbvk6Ch96C9MsTJBND4= Received: by 10.227.137.20 with SMTP id u20mr4749523wbt.222.1273556053072; Mon, 10 May 2010 22:34:13 -0700 (PDT) Received: from (230.3.169.217.in-addr.arpa [217.169.3.230]) by mx.google.com with ESMTPS id h22sm15776239wbh.15.2010.05.10.22.34.11 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 10 May 2010 22:34:12 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] I've been hacked. Date: Tue, 11 May 2010 06:33:11 +0100 User-Agent: KMail/1.12.4 (Linux/2.6.33-gentoo-r2; KDE/4.3.5; x86_64; ; ) References: In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1650813.RKeQpVXbmu"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201005110633.42037.michaelkintzios@gmail.com> X-Archives-Salt: 011b7637-0862-4d70-acba-52c38a457fd4 X-Archives-Hash: 9b56c082f13194702274e54e0821417c --nextPart1650813.RKeQpVXbmu Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable On Tuesday 11 May 2010 05:58:28 Grant wrote: > I nmap'ed one of my remote Gentoo servers today and besides the > expected open ports were these: >=20 > 1080/tcp open socks > 3128/tcp open squid-http > 8080/tcp open http-proxy >=20 > I'm not running any sort of proxy software that I know of and I should > be the only person whatsoever with access to the machine. 'netstat > -l' doesn't show any info on those ports at all so I suppose it's been > hacked as well? I installed and ran 'rkhunter --check' (what happened > to the chrootkit ebuild?) but it doesn't seem to be much use since I > hadn't established a "file of stored file properties". >=20 > What do you guys think is going on? What should I do from here? What does lsof (I'd reinstall it afresh) show with regards to strange users= ?=20 What users the above services run under. If indeed they are not legitimate= =20 and you confirm that they are not being run as packages that you installed,= =20 then I'm afraid the only sane option is to reinstall. =2D-=20 Regards, Mick --nextPart1650813.RKeQpVXbmu Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iEYEABECAAYFAkvo7DYACgkQVTDTR3kpaLbCHACfTAcEO044Ci2ZiwFuBYwYtHeV r0wAoNgmjwDai/3LSgm2R+b4EIW87REk =2RNL -----END PGP SIGNATURE----- --nextPart1650813.RKeQpVXbmu--