[gentoo-user] I've been hacked.

[gentoo-user] I've been hacked.

[Grant]

I nmap'ed one of my remote Gentoo servers today and besides the
expected open ports were these:

1080/tcp open  socks
3128/tcp open  squid-http
8080/tcp open  http-proxy

I'm not running any sort of proxy software that I know of and I should
be the only person whatsoever with access to the machine.  'netstat
-l' doesn't show any info on those ports at all so I suppose it's been
hacked as well?  I installed and ran 'rkhunter --check' (what happened
to the chrootkit ebuild?) but it doesn't seem to be much use since I
hadn't established a "file of stored file properties".

What do you guys think is going on?  What should I do from here?

- Grant

Re: [gentoo-user] I've been hacked.

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1048 bytes --]

On Tuesday 11 May 2010 05:58:28 Grant wrote:
> I nmap'ed one of my remote Gentoo servers today and besides the
> expected open ports were these:
> 
> 1080/tcp open  socks
> 3128/tcp open  squid-http
> 8080/tcp open  http-proxy
> 
> I'm not running any sort of proxy software that I know of and I should
> be the only person whatsoever with access to the machine.  'netstat
> -l' doesn't show any info on those ports at all so I suppose it's been
> hacked as well?  I installed and ran 'rkhunter --check' (what happened
> to the chrootkit ebuild?) but it doesn't seem to be much use since I
> hadn't established a "file of stored file properties".
> 
> What do you guys think is going on?  What should I do from here?

What does lsof (I'd reinstall it afresh) show with regards to strange users? 
What users the above services run under.  If indeed they are not legitimate 
and you confirm that they are not being run as packages that you installed, 
then I'm afraid the only sane option is to reinstall.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] I've been hacked.

[Grant]

>> I nmap'ed one of my remote Gentoo servers today and besides the
>> expected open ports were these:
>>
>> 1080/tcp open  socks
>> 3128/tcp open  squid-http
>> 8080/tcp open  http-proxy
>>
>> I'm not running any sort of proxy software that I know of and I should
>> be the only person whatsoever with access to the machine.  'netstat
>> -l' doesn't show any info on those ports at all so I suppose it's been
>> hacked as well?  I installed and ran 'rkhunter --check' (what happened
>> to the chrootkit ebuild?) but it doesn't seem to be much use since I
>> hadn't established a "file of stored file properties".
>>
>> What do you guys think is going on?  What should I do from here?
>
> What does lsof (I'd reinstall it afresh) show with regards to strange users?
> What users the above services run under.  If indeed they are not legitimate
> and you confirm that they are not being run as packages that you installed,
> then I'm afraid the only sane option is to reinstall.

Wow.  I'm actually seeing the same thing from other domains I nmap.
Could my ISP have some kind of a weird environment set up that makes
it look like there are ports such as these open on remote systems?
Right now I'm on some kind of a shared connection where everyone has
their own modem or router or whatever it is, but I think everyone's IP
is the same.

- Grant

Re: [gentoo-user] I've been hacked.

[Norman Rieß]

Am 05/11/10 08:54, schrieb Grant:
>>> I nmap'ed one of my remote Gentoo servers today and besides the
>>> expected open ports were these:
>>>
>>> 1080/tcp open  socks
>>> 3128/tcp open  squid-http
>>> 8080/tcp open  http-proxy
>>>
>>> I'm not running any sort of proxy software that I know of and I should
>>> be the only person whatsoever with access to the machine.  'netstat
>>> -l' doesn't show any info on those ports at all so I suppose it's been
>>> hacked as well?  I installed and ran 'rkhunter --check' (what happened
>>> to the chrootkit ebuild?) but it doesn't seem to be much use since I
>>> hadn't established a "file of stored file properties".
>>>
>>> What do you guys think is going on?  What should I do from here?
>>>        
>> What does lsof (I'd reinstall it afresh) show with regards to strange users?
>> What users the above services run under.  If indeed they are not legitimate
>> and you confirm that they are not being run as packages that you installed,
>> then I'm afraid the only sane option is to reinstall.
>>      
> Wow.  I'm actually seeing the same thing from other domains I nmap.
> Could my ISP have some kind of a weird environment set up that makes
> it look like there are ports such as these open on remote systems?
> Right now I'm on some kind of a shared connection where everyone has
> their own modem or router or whatever it is, but I think everyone's IP
> is the same.
>
> - Grant
>
>    
Hello,

looks like, your ISP has a Transparent Proxy Setup running.

Regards,
Norman

Re: [gentoo-user] I've been hacked.

[Mick]

On 11 May 2010 08:39, Norman Rieß <norman@smash-net.org> wrote:
> Am 05/11/10 08:54, schrieb Grant:
>>>>
>>>> I nmap'ed one of my remote Gentoo servers today and besides the
>>>> expected open ports were these:
>>>>
>>>> 1080/tcp open  socks
>>>> 3128/tcp open  squid-http
>>>> 8080/tcp open  http-proxy
>>>>
>>>> I'm not running any sort of proxy software that I know of and I should
>>>> be the only person whatsoever with access to the machine.  'netstat
>>>> -l' doesn't show any info on those ports at all so I suppose it's been
>>>> hacked as well?  I installed and ran 'rkhunter --check' (what happened
>>>> to the chrootkit ebuild?) but it doesn't seem to be much use since I
>>>> hadn't established a "file of stored file properties".
>>>>
>>>> What do you guys think is going on?  What should I do from here?
>>>>
>>>
>>> What does lsof (I'd reinstall it afresh) show with regards to strange
>>> users?
>>> What users the above services run under.  If indeed they are not
>>> legitimate
>>> and you confirm that they are not being run as packages that you
>>> installed,
>>> then I'm afraid the only sane option is to reinstall.
>>>
>>
>> Wow.  I'm actually seeing the same thing from other domains I nmap.
>> Could my ISP have some kind of a weird environment set up that makes
>> it look like there are ports such as these open on remote systems?
>> Right now I'm on some kind of a shared connection where everyone has
>> their own modem or router or whatever it is, but I think everyone's IP
>> is the same.
>>
>> - Grant
>>
>>
>
> Hello,
>
> looks like, your ISP has a Transparent Proxy Setup running.

Ports being shown as open does not mean that your machine is
listening, more like the firewall has some holes in it.  If the
firewall is not configured/running on your server itself, then you may
be alright.  Can you actually connect to your server using those
ports?

Have you tried telnet, or nc -v -z <your_host_name> <port> to see if
they are open?

If the above as well as lsof show nothing, can you nmap your machine
from within the LAN that it is hosted in?

HTH.
-- 
Regards,
Mick

Re: [gentoo-user] I've been hacked.

[Grant]

>>>>> I nmap'ed one of my remote Gentoo servers today and besides the
>>>>> expected open ports were these:
>>>>>
>>>>> 1080/tcp open  socks
>>>>> 3128/tcp open  squid-http
>>>>> 8080/tcp open  http-proxy
>>>>>
>>>>> I'm not running any sort of proxy software that I know of and I should
>>>>> be the only person whatsoever with access to the machine.  'netstat
>>>>> -l' doesn't show any info on those ports at all so I suppose it's been
>>>>> hacked as well?  I installed and ran 'rkhunter --check' (what happened
>>>>> to the chrootkit ebuild?) but it doesn't seem to be much use since I
>>>>> hadn't established a "file of stored file properties".
>>>>>
>>>>> What do you guys think is going on?  What should I do from here?
>>>>>
>>>>
>>>> What does lsof (I'd reinstall it afresh) show with regards to strange
>>>> users?
>>>> What users the above services run under.  If indeed they are not
>>>> legitimate
>>>> and you confirm that they are not being run as packages that you
>>>> installed,
>>>> then I'm afraid the only sane option is to reinstall.
>>>>
>>>
>>> Wow.  I'm actually seeing the same thing from other domains I nmap.
>>> Could my ISP have some kind of a weird environment set up that makes
>>> it look like there are ports such as these open on remote systems?
>>> Right now I'm on some kind of a shared connection where everyone has
>>> their own modem or router or whatever it is, but I think everyone's IP
>>> is the same.
>>>
>>> - Grant
>>>
>>>
>>
>> Hello,
>>
>> looks like, your ISP has a Transparent Proxy Setup running.

Should I be worried about that?

> Ports being shown as open does not mean that your machine is
> listening, more like the firewall has some holes in it.  If the

Really?  I thought a service had to be listening for the port to be
open.  So from nmap, there is no way to tell the difference between a
port that isn't blocked by a firewall and one that is listening?

> firewall is not configured/running on your server itself, then you may
> be alright.  Can you actually connect to your server using those
> ports?

If I enter the server's IP appended with one of the port numbers
listed above into a web browser, I get:

"tinyproxy 1.6.0
The page you requested was unavailable. The error code is listed
below. In addition, the HTML file which has been configured as the
page to be displayed when an error of this type was unavailable, with
the error code 14 (Bad address). Please contact your administrator.
Bad Request"

The thing is, I get the same thing from any domain I enter appended
with one of those ports.

> Have you tried telnet, or nc -v -z <your_host_name> <port> to see if
> they are open?

Can you tell me what package nc is included in?

- Grant

Re: [gentoo-user] I've been hacked.

[Paul Hartman]

On Tue, May 11, 2010 at 2:28 PM, Grant <emailgrant@gmail.com> wrote:
> Can you tell me what package nc is included in?

netcat

[gentoo-user] Re: I've been hacked.

[Nikos Chantziaras]

On 05/11/2010 10:28 PM, Grant wrote:
>>>>>> I nmap'ed one of my remote Gentoo servers today and besides the
>>>>>> expected open ports were these:
>>>>>>
>>>>>> 1080/tcp open  socks
>>>>>> 3128/tcp open  squid-http
>>>>>> 8080/tcp open  http-proxy
>>>>>>
>>>>>> I'm not running any sort of proxy software that I know of and I should
>>>>>> be the only person whatsoever with access to the machine.  'netstat
>>>>>> -l' doesn't show any info on those ports at all so I suppose it's been
>>>>>> hacked as well?  I installed and ran 'rkhunter --check' (what happened
>>>>>> to the chrootkit ebuild?) but it doesn't seem to be much use since I
>>>>>> hadn't established a "file of stored file properties".
>>>>>>
>>>>>> What do you guys think is going on?  What should I do from here?
>>>>>>
>>>>>
>>>>> What does lsof (I'd reinstall it afresh) show with regards to strange
>>>>> users?
>>>>> What users the above services run under.  If indeed they are not
>>>>> legitimate
>>>>> and you confirm that they are not being run as packages that you
>>>>> installed,
>>>>> then I'm afraid the only sane option is to reinstall.
>>>>>
>>>>
>>>> Wow.  I'm actually seeing the same thing from other domains I nmap.
>>>> Could my ISP have some kind of a weird environment set up that makes
>>>> it look like there are ports such as these open on remote systems?
>>>> Right now I'm on some kind of a shared connection where everyone has
>>>> their own modem or router or whatever it is, but I think everyone's IP
>>>> is the same.
>>>>
>>>> - Grant
>>>>
>>>>
>>>
>>> Hello,
>>>
>>> looks like, your ISP has a Transparent Proxy Setup running.
>
> Should I be worried about that?

"Your ISP" in this case means the ISP of your home, not the server's. 
That means you will see these ports apparently open for every 
IP/hostname you try.

Re: [gentoo-user] I've been hacked.

[Adam]

>>> looks like, your ISP has a Transparent Proxy Setup running.
> 
> Should I be worried about that?

No.

>> Ports being shown as open does not mean that your machine is
>> listening, more like the firewall has some holes in it.  If the
> 
> Really?  I thought a service had to be listening for the port to be
> open.  So from nmap, there is no way to tell the difference between a
> port that isn't blocked by a firewall and one that is listening?

You're right - a TCP service does need to be listening for the port to
be shown as open. However, a device in the path like a proxy may answer
on behalf of the actual destination. ISPs can do this so that you will
use their proxy without having to configure a proxy in your browser.

Firewalls can block ports in two ways;
1.Reject the packet, that is, respond to the SYN with an RST packet
(which is also what the operating system does if the port is closed) and
not forward the packet to the destination
2. Drop the packet, that is, dont respond to the packet or forward it on
to the destination.

Re: [gentoo-user] I've been hacked.

[Paul Hartman]

On Tue, May 11, 2010 at 1:54 AM, Grant <emailgrant@gmail.com> wrote:
>>> I nmap'ed one of my remote Gentoo servers today and besides the
>>> expected open ports were these:
>>>
>>> 1080/tcp open  socks
>>> 3128/tcp open  squid-http
>>> 8080/tcp open  http-proxy
>>>
>>> I'm not running any sort of proxy software that I know of and I should
>>> be the only person whatsoever with access to the machine.  'netstat
>>> -l' doesn't show any info on those ports at all so I suppose it's been
>>> hacked as well?  I installed and ran 'rkhunter --check' (what happened
>>> to the chrootkit ebuild?) but it doesn't seem to be much use since I
>>> hadn't established a "file of stored file properties".
>>>
>>> What do you guys think is going on?  What should I do from here?
>>
>> What does lsof (I'd reinstall it afresh) show with regards to strange users?
>> What users the above services run under.  If indeed they are not legitimate
>> and you confirm that they are not being run as packages that you installed,
>> then I'm afraid the only sane option is to reinstall.
>
> Wow.  I'm actually seeing the same thing from other domains I nmap.
> Could my ISP have some kind of a weird environment set up that makes
> it look like there are ports such as these open on remote systems?
> Right now I'm on some kind of a shared connection where everyone has
> their own modem or router or whatever it is, but I think everyone's IP
> is the same.

Like Norman suggested, sounds like maybe your ISP or local IT staff
are playing man-in-the-middle.

Try running the Netalyzer (warning: java) maybe it can tell you about
it. http://netalyzr.icsi.berkeley.edu/

Otherwise, I would try to nmap your server from a different internet
connection when possible. Hopefully you won't see those ports open on
your server. Hopefully. :)

I think nmap is typically not recommended to be run from behind
router/NAT because the results are not necessarily true.