From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OCAhT-0006Rr-8z for garchives@archives.gentoo.org; Wed, 12 May 2010 12:06:07 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DA922E0814 for ; Wed, 12 May 2010 12:06:06 +0000 (UTC) Received: from rix.jaftan.com.au (ppp114-244.static.internode.on.net [150.101.114.244]) by pigeon.gentoo.org (Postfix) with ESMTP id 617E3E03E0 for ; Wed, 12 May 2010 11:39:59 +0000 (UTC) Received: from localhost (unknown [127.0.0.1]) by rix.jaftan.com.au (Postfix) with ESMTP id BCE0D44003B for ; Wed, 12 May 2010 11:39:57 +0000 (UTC) Received: from rix.jaftan.com.au ([127.0.0.1]) by localhost (rix.jaftan.com.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RWY7hXstx+l3 for ; Wed, 12 May 2010 21:39:57 +1000 (EST) Received: from [192.168.1.12] (unknown [192.168.1.12]) by rix.jaftan.com.au (Postfix) with ESMTP id E2CF3128D2 for ; Wed, 12 May 2010 21:39:56 +1000 (EST) Message-ID: <4BEA9390.2070900@jaftan.com.au> Date: Wed, 12 May 2010 21:40:00 +1000 From: Adam User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.9) Gecko/20100416 Thunderbird/3.0.4 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] I've been hacked. References: <201005110633.42037.michaelkintzios@gmail.com> <4BE909CB.2090105@smash-net.org> In-Reply-To: X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: 5a90c09a-11f9-4895-855d-97ebb1d55a68 X-Archives-Hash: d000dd950cc18517bc74f0ef26dc83e6 >>> looks like, your ISP has a Transparent Proxy Setup running. > > Should I be worried about that? No. >> Ports being shown as open does not mean that your machine is >> listening, more like the firewall has some holes in it. If the > > Really? I thought a service had to be listening for the port to be > open. So from nmap, there is no way to tell the difference between a > port that isn't blocked by a firewall and one that is listening? You're right - a TCP service does need to be listening for the port to be shown as open. However, a device in the path like a proxy may answer on behalf of the actual destination. ISPs can do this so that you will use their proxy without having to configure a proxy in your browser. Firewalls can block ports in two ways; 1.Reject the packet, that is, respond to the SYN with an RST packet (which is also what the operating system does if the port is closed) and not forward the packet to the destination 2. Drop the packet, that is, dont respond to the packet or forward it on to the destination.