From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OBqT9-000819-6S for garchives@archives.gentoo.org; Tue, 11 May 2010 14:29:59 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 08501E08FE; Tue, 11 May 2010 14:29:32 +0000 (UTC) Received: from mail-yw0-f192.google.com (mail-yw0-f192.google.com [209.85.211.192]) by pigeon.gentoo.org (Postfix) with ESMTP id 7D430E08FE for ; Tue, 11 May 2010 14:29:32 +0000 (UTC) Received: by ywh30 with SMTP id 30so441382ywh.10 for ; Tue, 11 May 2010 07:29:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:sender:received :in-reply-to:references:date:x-google-sender-auth:message-id:subject :from:to:content-type; bh=tRuUB6gxflgTC8MWpMZK4XMUfkuN4n7xgO4lG9Tn5Pc=; b=h+Ab1AOnGRhMB/ReVv52Qr9qs7iA3pA/Do6uKzzC1a9d2kCQDf24wcJbFmdbuC3NI6 xUFOBRND2crhUvTdOLRJDWZ6K8REqOjSmEK47ttnt8G/G1yBmzxXbrvLWaSRxJC9oMiQ bK76gJNYusFLaApyh3af0ffi1llMvpQi7c7/4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type; b=fy6/g2+bUzxKTN+FUwZ90gK7kk9WqK+cpwkEfTpYw8cVhQYjtnGXu9cN0O8JCwUQea HjIwNKEcydWICQmHo3YJEtKum5XSE+1OnJFij3J4J+x+STOM/8NuA//F90ithlMwfZt5 VTV8Cs36cv59U1+9Q1RxicedcyBF2yd1nPEdI= Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Received: by 10.150.7.1 with SMTP id 1mr10803479ybg.191.1273588168197; Tue, 11 May 2010 07:29:28 -0700 (PDT) Sender: paul.hartman@gmail.com Received: by 10.151.108.5 with HTTP; Tue, 11 May 2010 07:29:27 -0700 (PDT) In-Reply-To: References: <201005110633.42037.michaelkintzios@gmail.com> Date: Tue, 11 May 2010 09:29:27 -0500 X-Google-Sender-Auth: kxW6K3KW5-rrE78GwGwMWV0suD4 Message-ID: Subject: Re: [gentoo-user] I've been hacked. From: Paul Hartman To: gentoo-user@lists.gentoo.org Content-Type: text/plain; charset=ISO-8859-1 X-Archives-Salt: d9689b0f-0d9f-4b1f-bbcd-2027ed0fa645 X-Archives-Hash: a7af8b3bc2844583d615a76c86e14ad1 On Tue, May 11, 2010 at 1:54 AM, Grant wrote: >>> I nmap'ed one of my remote Gentoo servers today and besides the >>> expected open ports were these: >>> >>> 1080/tcp open socks >>> 3128/tcp open squid-http >>> 8080/tcp open http-proxy >>> >>> I'm not running any sort of proxy software that I know of and I should >>> be the only person whatsoever with access to the machine. 'netstat >>> -l' doesn't show any info on those ports at all so I suppose it's been >>> hacked as well? I installed and ran 'rkhunter --check' (what happened >>> to the chrootkit ebuild?) but it doesn't seem to be much use since I >>> hadn't established a "file of stored file properties". >>> >>> What do you guys think is going on? What should I do from here? >> >> What does lsof (I'd reinstall it afresh) show with regards to strange users? >> What users the above services run under. If indeed they are not legitimate >> and you confirm that they are not being run as packages that you installed, >> then I'm afraid the only sane option is to reinstall. > > Wow. I'm actually seeing the same thing from other domains I nmap. > Could my ISP have some kind of a weird environment set up that makes > it look like there are ports such as these open on remote systems? > Right now I'm on some kind of a shared connection where everyone has > their own modem or router or whatever it is, but I think everyone's IP > is the same. Like Norman suggested, sounds like maybe your ISP or local IT staff are playing man-in-the-middle. Try running the Netalyzer (warning: java) maybe it can tell you about it. http://netalyzr.icsi.berkeley.edu/ Otherwise, I would try to nmap your server from a different internet connection when possible. Hopefully you won't see those ports open on your server. Hopefully. :) I think nmap is typically not recommended to be run from behind router/NAT because the results are not necessarily true.