From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-110869-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1OBqAF-0005t6-Fr
	for garchives@archives.gentoo.org; Tue, 11 May 2010 14:10:27 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id A205CE091B;
	Tue, 11 May 2010 14:09:20 +0000 (UTC)
Received: from mail-ww0-f53.google.com (mail-ww0-f53.google.com [74.125.82.53])
	by pigeon.gentoo.org (Postfix) with ESMTP id 47239E091B
	for <gentoo-user@lists.gentoo.org>; Tue, 11 May 2010 14:09:19 +0000 (UTC)
Received: by wwb39 with SMTP id 39so9248wwb.40
        for <gentoo-user@lists.gentoo.org>; Tue, 11 May 2010 07:09:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:received:in-reply-to
         :references:date:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=ZbkBT3j4b5ojGI1e6Z2Lg5T7n1JVPMdyl4XQ91/4e3M=;
        b=yEQ+Zvj2U//aVbWqkGVGcKgFS9aGy//KWimAf5IE7gAs2Vc8A/u0FPPP1iKD3TMqxs
         w2xbkFI5aabcWcruDGnpS5fPBTTE6VFj5KPnbXX1w1vkdTCMe6oW1udEIa9bbrFvZNZK
         8KRFYRtNJtEJBs4DtS9fklOiHxT8yO++kZJF8=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        b=r+6fJqaZA5BTSmVYRJ7NhDPfl0TFY4G4SQqCkm5D0Zx/6sE7L5ww+1x7EH2zg/OggR
         kL+4LIKZXW/YtMD3NT0Dc4aP4WgiZtxqYD+315klqhOKuBxq+Xk6s9oGt1xwmwubWjrc
         o2MRa45DuOzhQRqAWZHOrWq/xRM30YqofZ8I4=
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Received: by 10.216.85.148 with SMTP id u20mr3512107wee.219.1273586957133; 
	Tue, 11 May 2010 07:09:17 -0700 (PDT)
Received: by 10.216.156.21 with HTTP; Tue, 11 May 2010 07:09:17 -0700 (PDT)
In-Reply-To: <4BE909CB.2090105@smash-net.org>
References: <AANLkTinWKgK1KPab78jdi4oSJ7ga55WFVTMYyjcRTCRY@mail.gmail.com>
	 <201005110633.42037.michaelkintzios@gmail.com>
	 <AANLkTil3DeFGhJdVjO0KlEwwLFGDb4NdfeMNzKvuEP8Y@mail.gmail.com>
	 <4BE909CB.2090105@smash-net.org>
Date: Tue, 11 May 2010 15:09:17 +0100
Message-ID: <AANLkTilitpTyR1HKGitUg6x1c-mdxLAXkgksM81pPA6J@mail.gmail.com>
Subject: Re: [gentoo-user] I've been hacked.
From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Archives-Salt: bf6ecd68-5668-4ebe-a07d-ed6689f325da
X-Archives-Hash: 37b987c7ad3ba6de5f5ec94cf45f18f0

On 11 May 2010 08:39, Norman Rie=DF <norman@smash-net.org> wrote:
> Am 05/11/10 08:54, schrieb Grant:
>>>>
>>>> I nmap'ed one of my remote Gentoo servers today and besides the
>>>> expected open ports were these:
>>>>
>>>> 1080/tcp open =A0socks
>>>> 3128/tcp open =A0squid-http
>>>> 8080/tcp open =A0http-proxy
>>>>
>>>> I'm not running any sort of proxy software that I know of and I should
>>>> be the only person whatsoever with access to the machine. =A0'netstat
>>>> -l' doesn't show any info on those ports at all so I suppose it's been
>>>> hacked as well? =A0I installed and ran 'rkhunter --check' (what happen=
ed
>>>> to the chrootkit ebuild?) but it doesn't seem to be much use since I
>>>> hadn't established a "file of stored file properties".
>>>>
>>>> What do you guys think is going on? =A0What should I do from here?
>>>>
>>>
>>> What does lsof (I'd reinstall it afresh) show with regards to strange
>>> users?
>>> What users the above services run under. =A0If indeed they are not
>>> legitimate
>>> and you confirm that they are not being run as packages that you
>>> installed,
>>> then I'm afraid the only sane option is to reinstall.
>>>
>>
>> Wow. =A0I'm actually seeing the same thing from other domains I nmap.
>> Could my ISP have some kind of a weird environment set up that makes
>> it look like there are ports such as these open on remote systems?
>> Right now I'm on some kind of a shared connection where everyone has
>> their own modem or router or whatever it is, but I think everyone's IP
>> is the same.
>>
>> - Grant
>>
>>
>
> Hello,
>
> looks like, your ISP has a Transparent Proxy Setup running.

Ports being shown as open does not mean that your machine is
listening, more like the firewall has some holes in it.  If the
firewall is not configured/running on your server itself, then you may
be alright.  Can you actually connect to your server using those
ports?

Have you tried telnet, or nc -v -z <your_host_name> <port> to see if
they are open?

If the above as well as lsof show nothing, can you nmap your machine
from within the LAN that it is hosted in?

HTH.
--=20
Regards,
Mick