Re: [gentoo-user] I've been hacked.

[Paul Hartman <paul.hartman+gentoo@gmail.com>]

On Tue, May 11, 2010 at 1:54 AM, Grant <emailgrant@gmail.com> wrote:
>>> I nmap'ed one of my remote Gentoo servers today and besides the
>>> expected open ports were these:
>>>
>>> 1080/tcp open  socks
>>> 3128/tcp open  squid-http
>>> 8080/tcp open  http-proxy
>>>
>>> I'm not running any sort of proxy software that I know of and I should
>>> be the only person whatsoever with access to the machine.  'netstat
>>> -l' doesn't show any info on those ports at all so I suppose it's been
>>> hacked as well?  I installed and ran 'rkhunter --check' (what happened
>>> to the chrootkit ebuild?) but it doesn't seem to be much use since I
>>> hadn't established a "file of stored file properties".
>>>
>>> What do you guys think is going on?  What should I do from here?
>>
>> What does lsof (I'd reinstall it afresh) show with regards to strange users?
>> What users the above services run under.  If indeed they are not legitimate
>> and you confirm that they are not being run as packages that you installed,
>> then I'm afraid the only sane option is to reinstall.
>
> Wow.  I'm actually seeing the same thing from other domains I nmap.
> Could my ISP have some kind of a weird environment set up that makes
> it look like there are ports such as these open on remote systems?
> Right now I'm on some kind of a shared connection where everyone has
> their own modem or router or whatever it is, but I think everyone's IP
> is the same.

Like Norman suggested, sounds like maybe your ISP or local IT staff
are playing man-in-the-middle.

Try running the Netalyzer (warning: java) maybe it can tell you about
it. http://netalyzr.icsi.berkeley.edu/

Otherwise, I would try to nmap your server from a different internet
connection when possible. Hopefully you won't see those ports open on
your server. Hopefully. :)

I think nmap is typically not recommended to be run from behind
router/NAT because the results are not necessarily true.