From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] I've been hacked.
Date: Tue, 11 May 2010 15:09:17 +0100 [thread overview]
Message-ID: <AANLkTilitpTyR1HKGitUg6x1c-mdxLAXkgksM81pPA6J@mail.gmail.com> (raw)
In-Reply-To: <4BE909CB.2090105@smash-net.org>
On 11 May 2010 08:39, Norman Rieß <norman@smash-net.org> wrote:
> Am 05/11/10 08:54, schrieb Grant:
>>>>
>>>> I nmap'ed one of my remote Gentoo servers today and besides the
>>>> expected open ports were these:
>>>>
>>>> 1080/tcp open socks
>>>> 3128/tcp open squid-http
>>>> 8080/tcp open http-proxy
>>>>
>>>> I'm not running any sort of proxy software that I know of and I should
>>>> be the only person whatsoever with access to the machine. 'netstat
>>>> -l' doesn't show any info on those ports at all so I suppose it's been
>>>> hacked as well? I installed and ran 'rkhunter --check' (what happened
>>>> to the chrootkit ebuild?) but it doesn't seem to be much use since I
>>>> hadn't established a "file of stored file properties".
>>>>
>>>> What do you guys think is going on? What should I do from here?
>>>>
>>>
>>> What does lsof (I'd reinstall it afresh) show with regards to strange
>>> users?
>>> What users the above services run under. If indeed they are not
>>> legitimate
>>> and you confirm that they are not being run as packages that you
>>> installed,
>>> then I'm afraid the only sane option is to reinstall.
>>>
>>
>> Wow. I'm actually seeing the same thing from other domains I nmap.
>> Could my ISP have some kind of a weird environment set up that makes
>> it look like there are ports such as these open on remote systems?
>> Right now I'm on some kind of a shared connection where everyone has
>> their own modem or router or whatever it is, but I think everyone's IP
>> is the same.
>>
>> - Grant
>>
>>
>
> Hello,
>
> looks like, your ISP has a Transparent Proxy Setup running.
Ports being shown as open does not mean that your machine is
listening, more like the firewall has some holes in it. If the
firewall is not configured/running on your server itself, then you may
be alright. Can you actually connect to your server using those
ports?
Have you tried telnet, or nc -v -z <your_host_name> <port> to see if
they are open?
If the above as well as lsof show nothing, can you nmap your machine
from within the LAN that it is hosted in?
HTH.
--
Regards,
Mick
next prev parent reply other threads:[~2010-05-11 14:10 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-05-11 4:58 [gentoo-user] I've been hacked Grant
2010-05-11 5:33 ` Mick
2010-05-11 6:54 ` Grant
2010-05-11 7:39 ` Norman Rieß
2010-05-11 14:09 ` Mick [this message]
2010-05-11 19:28 ` Grant
2010-05-11 19:40 ` Paul Hartman
2010-05-11 19:48 ` [gentoo-user] " Nikos Chantziaras
2010-05-12 11:40 ` [gentoo-user] " Adam
2010-05-11 14:29 ` Paul Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AANLkTilitpTyR1HKGitUg6x1c-mdxLAXkgksM81pPA6J@mail.gmail.com \
--to=michaelkintzios@gmail.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox