From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-110881-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1OBv8C-0002cC-Lk
	for garchives@archives.gentoo.org; Tue, 11 May 2010 19:28:40 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5D1B4E09AD;
	Tue, 11 May 2010 19:28:08 +0000 (UTC)
Received: from mail-vw0-f53.google.com (mail-vw0-f53.google.com [209.85.212.53])
	by pigeon.gentoo.org (Postfix) with ESMTP id 2D539E09AD
	for <gentoo-user@lists.gentoo.org>; Tue, 11 May 2010 19:28:08 +0000 (UTC)
Received: by vws5 with SMTP id 5so734921vws.40
        for <gentoo-user@lists.gentoo.org>; Tue, 11 May 2010 12:28:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:received:in-reply-to
         :references:date:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=DtpQzD9wnM+ReYYKQnyJYS7HywUH9kxzlIWkj5UnAmk=;
        b=nZcOtbYjNrk4zF/wIy+ZSufVLroKm28LwBHxy6QGnXPyfAX+ew8yzimxp+KCQFnxRu
         6OOBtaVm6HuH7+8ZagW+wj4sdH7PAGULX3L3y3dyAiOQYUfeiLKGGQUQBiFi8do67hPQ
         nTznuNOnzwnp1EI2uAxTRGH/zTZt3SBfYR9Fk=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        b=HninXtLJj1H4Dghph3HEsar5iqFHh/38xYd/zYGQPv+erxbFk9a6GpBUsQiLcZWCsO
         5vFJfR5hPDp83GFqPvqSUkiTbRfn6qo019fkV8K9iyoLd4Xqs5iA+rY6jh7/4+1pGFzL
         hd3RMBnov5n92pv9L6iFWBwWlIDauxOsRrpPk=
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.220.48.22 with SMTP id p22mr459362vcf.233.1273606087553; Tue, 
	11 May 2010 12:28:07 -0700 (PDT)
Received: by 10.220.86.198 with HTTP; Tue, 11 May 2010 12:28:07 -0700 (PDT)
In-Reply-To: <AANLkTilitpTyR1HKGitUg6x1c-mdxLAXkgksM81pPA6J@mail.gmail.com>
References: <AANLkTinWKgK1KPab78jdi4oSJ7ga55WFVTMYyjcRTCRY@mail.gmail.com>
	 <201005110633.42037.michaelkintzios@gmail.com>
	 <AANLkTil3DeFGhJdVjO0KlEwwLFGDb4NdfeMNzKvuEP8Y@mail.gmail.com>
	 <4BE909CB.2090105@smash-net.org>
	 <AANLkTilitpTyR1HKGitUg6x1c-mdxLAXkgksM81pPA6J@mail.gmail.com>
Date: Tue, 11 May 2010 12:28:07 -0700
Message-ID: <AANLkTilafSTLD-p-_W7xb2CtCwMrM15ZV9NY9dhUS5Te@mail.gmail.com>
Subject: Re: [gentoo-user] I've been hacked.
From: Grant <emailgrant@gmail.com>
To: gentoo-user@lists.gentoo.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: 426bd5e2-c003-4103-9846-4d985c0979e5
X-Archives-Hash: 7a69769234f647104872c48ebcda2b41

>>>>> I nmap'ed one of my remote Gentoo servers today and besides the
>>>>> expected open ports were these:
>>>>>
>>>>> 1080/tcp open =A0socks
>>>>> 3128/tcp open =A0squid-http
>>>>> 8080/tcp open =A0http-proxy
>>>>>
>>>>> I'm not running any sort of proxy software that I know of and I shoul=
d
>>>>> be the only person whatsoever with access to the machine. =A0'netstat
>>>>> -l' doesn't show any info on those ports at all so I suppose it's bee=
n
>>>>> hacked as well? =A0I installed and ran 'rkhunter --check' (what happe=
ned
>>>>> to the chrootkit ebuild?) but it doesn't seem to be much use since I
>>>>> hadn't established a "file of stored file properties".
>>>>>
>>>>> What do you guys think is going on? =A0What should I do from here?
>>>>>
>>>>
>>>> What does lsof (I'd reinstall it afresh) show with regards to strange
>>>> users?
>>>> What users the above services run under. =A0If indeed they are not
>>>> legitimate
>>>> and you confirm that they are not being run as packages that you
>>>> installed,
>>>> then I'm afraid the only sane option is to reinstall.
>>>>
>>>
>>> Wow. =A0I'm actually seeing the same thing from other domains I nmap.
>>> Could my ISP have some kind of a weird environment set up that makes
>>> it look like there are ports such as these open on remote systems?
>>> Right now I'm on some kind of a shared connection where everyone has
>>> their own modem or router or whatever it is, but I think everyone's IP
>>> is the same.
>>>
>>> - Grant
>>>
>>>
>>
>> Hello,
>>
>> looks like, your ISP has a Transparent Proxy Setup running.

Should I be worried about that?

> Ports being shown as open does not mean that your machine is
> listening, more like the firewall has some holes in it. =A0If the

Really?  I thought a service had to be listening for the port to be
open.  So from nmap, there is no way to tell the difference between a
port that isn't blocked by a firewall and one that is listening?

> firewall is not configured/running on your server itself, then you may
> be alright. =A0Can you actually connect to your server using those
> ports?

If I enter the server's IP appended with one of the port numbers
listed above into a web browser, I get:

"tinyproxy 1.6.0
The page you requested was unavailable. The error code is listed
below. In addition, the HTML file which has been configured as the
page to be displayed when an error of this type was unavailable, with
the error code 14 (Bad address). Please contact your administrator.
Bad Request"

The thing is, I get the same thing from any domain I enter appended
with one of those ports.

> Have you tried telnet, or nc -v -z <your_host_name> <port> to see if
> they are open?

Can you tell me what package nc is included in?

- Grant