From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OBjNU-0004Li-2d for garchives@archives.gentoo.org; Tue, 11 May 2010 06:55:40 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 082ECE0858; Tue, 11 May 2010 06:54:48 +0000 (UTC) Received: from mail-vw0-f53.google.com (mail-vw0-f53.google.com [209.85.212.53]) by pigeon.gentoo.org (Postfix) with ESMTP id D5E76E0858 for ; Tue, 11 May 2010 06:54:47 +0000 (UTC) Received: by vws5 with SMTP id 5so197688vws.40 for ; Mon, 10 May 2010 23:54:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=xXo8ZC20revlIczopRFlrWC192XpdI3qUh3E4FkTe8k=; b=jof9lAFigar0J6YnbiZZ5MZVYe75zkeozWMrqmpLqxyfMvjDisGzowrNy9eoR9xHFE aY0z1f6E2gWp+Ok3WZ7ch6fzg6Mzvyb92j/e/H8ztWRnlXPrdzn7ACnOoOKiAztJetFO nStPe286udvR7tMMoG6kqnjyJiWcc3azExSSk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=aCgvNXPde+/1prU8UhJyDlGfRMoxBpcOrAik3rA9pyB3whuvsUc3ZVkEMOdcGMTEvT 5XQQcJM68vRQctOzIk3U5muHiVFyYHnXfzbA9QFglsL3KYcDB08BsJZ+k8J7KGoE/SRJ rcM7G8nzwbkqz8D2Kl3x6ayKx65FCzzb8C33s= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.220.123.95 with SMTP id o31mr4202303vcr.143.1273560886442; Mon, 10 May 2010 23:54:46 -0700 (PDT) Received: by 10.220.86.198 with HTTP; Mon, 10 May 2010 23:54:46 -0700 (PDT) In-Reply-To: <201005110633.42037.michaelkintzios@gmail.com> References: <201005110633.42037.michaelkintzios@gmail.com> Date: Mon, 10 May 2010 23:54:46 -0700 Message-ID: Subject: Re: [gentoo-user] I've been hacked. From: Grant To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 7938a90f-0999-4505-8dc5-7598d083c97d X-Archives-Hash: b8d41c0610be0d359b6356f71f660c2b >> I nmap'ed one of my remote Gentoo servers today and besides the >> expected open ports were these: >> >> 1080/tcp open =A0socks >> 3128/tcp open =A0squid-http >> 8080/tcp open =A0http-proxy >> >> I'm not running any sort of proxy software that I know of and I should >> be the only person whatsoever with access to the machine. =A0'netstat >> -l' doesn't show any info on those ports at all so I suppose it's been >> hacked as well? =A0I installed and ran 'rkhunter --check' (what happened >> to the chrootkit ebuild?) but it doesn't seem to be much use since I >> hadn't established a "file of stored file properties". >> >> What do you guys think is going on? =A0What should I do from here? > > What does lsof (I'd reinstall it afresh) show with regards to strange use= rs? > What users the above services run under. =A0If indeed they are not legiti= mate > and you confirm that they are not being run as packages that you installe= d, > then I'm afraid the only sane option is to reinstall. Wow. I'm actually seeing the same thing from other domains I nmap. Could my ISP have some kind of a weird environment set up that makes it look like there are ports such as these open on remote systems? Right now I'm on some kind of a shared connection where everyone has their own modem or router or whatever it is, but I think everyone's IP is the same. - Grant