From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OBk4s-0000mT-3V for garchives@archives.gentoo.org; Tue, 11 May 2010 07:40:30 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BCDE0E0871; Tue, 11 May 2010 07:39:56 +0000 (UTC) Received: from der-root.de (der-root.de [78.46.36.110]) by pigeon.gentoo.org (Postfix) with ESMTP id 8DB02E0871 for ; Tue, 11 May 2010 07:39:56 +0000 (UTC) Received: from [78.46.36.110] (der-root [78.46.36.110]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by der-root.de (Postfix) with ESMTPSA id 3CA4E220C2A4 for ; Tue, 11 May 2010 09:39:55 +0200 (CEST) Message-ID: <4BE909CB.2090105@smash-net.org> Date: Tue, 11 May 2010 09:39:55 +0200 From: =?ISO-8859-1?Q?Norman_Rie=DF?= User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] I've been hacked. References: <201005110633.42037.michaelkintzios@gmail.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: d5093edc-03ad-4b9b-9ddd-f60ca71ff02c X-Archives-Hash: 1d2118fc6756167e1330576161b0215d Am 05/11/10 08:54, schrieb Grant: >>> I nmap'ed one of my remote Gentoo servers today and besides the >>> expected open ports were these: >>> >>> 1080/tcp open socks >>> 3128/tcp open squid-http >>> 8080/tcp open http-proxy >>> >>> I'm not running any sort of proxy software that I know of and I should >>> be the only person whatsoever with access to the machine. 'netstat >>> -l' doesn't show any info on those ports at all so I suppose it's been >>> hacked as well? I installed and ran 'rkhunter --check' (what happened >>> to the chrootkit ebuild?) but it doesn't seem to be much use since I >>> hadn't established a "file of stored file properties". >>> >>> What do you guys think is going on? What should I do from here? >>> >> What does lsof (I'd reinstall it afresh) show with regards to strange users? >> What users the above services run under. If indeed they are not legitimate >> and you confirm that they are not being run as packages that you installed, >> then I'm afraid the only sane option is to reinstall. >> > Wow. I'm actually seeing the same thing from other domains I nmap. > Could my ISP have some kind of a weird environment set up that makes > it look like there are ports such as these open on remote systems? > Right now I'm on some kind of a shared connection where everyone has > their own modem or router or whatever it is, but I think everyone's IP > is the same. > > - Grant > > Hello, looks like, your ISP has a Transparent Proxy Setup running. Regards, Norman