public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
From: Nikos Chantziaras <realnc@arcor.de>
To: gentoo-user@lists.gentoo.org
Subject: [gentoo-user] Re: I've been hacked.
Date: Tue, 11 May 2010 22:48:12 +0300	[thread overview]
Message-ID: <hscc8p$jk4$1@dough.gmane.org> (raw)
In-Reply-To: <AANLkTilafSTLD-p-_W7xb2CtCwMrM15ZV9NY9dhUS5Te@mail.gmail.com>

On 05/11/2010 10:28 PM, Grant wrote:
>>>>>> I nmap'ed one of my remote Gentoo servers today and besides the
>>>>>> expected open ports were these:
>>>>>>
>>>>>> 1080/tcp open  socks
>>>>>> 3128/tcp open  squid-http
>>>>>> 8080/tcp open  http-proxy
>>>>>>
>>>>>> I'm not running any sort of proxy software that I know of and I should
>>>>>> be the only person whatsoever with access to the machine.  'netstat
>>>>>> -l' doesn't show any info on those ports at all so I suppose it's been
>>>>>> hacked as well?  I installed and ran 'rkhunter --check' (what happened
>>>>>> to the chrootkit ebuild?) but it doesn't seem to be much use since I
>>>>>> hadn't established a "file of stored file properties".
>>>>>>
>>>>>> What do you guys think is going on?  What should I do from here?
>>>>>>
>>>>>
>>>>> What does lsof (I'd reinstall it afresh) show with regards to strange
>>>>> users?
>>>>> What users the above services run under.  If indeed they are not
>>>>> legitimate
>>>>> and you confirm that they are not being run as packages that you
>>>>> installed,
>>>>> then I'm afraid the only sane option is to reinstall.
>>>>>
>>>>
>>>> Wow.  I'm actually seeing the same thing from other domains I nmap.
>>>> Could my ISP have some kind of a weird environment set up that makes
>>>> it look like there are ports such as these open on remote systems?
>>>> Right now I'm on some kind of a shared connection where everyone has
>>>> their own modem or router or whatever it is, but I think everyone's IP
>>>> is the same.
>>>>
>>>> - Grant
>>>>
>>>>
>>>
>>> Hello,
>>>
>>> looks like, your ISP has a Transparent Proxy Setup running.
>
> Should I be worried about that?

"Your ISP" in this case means the ISP of your home, not the server's. 
That means you will see these ports apparently open for every 
IP/hostname you try.




  parent reply	other threads:[~2010-05-11 19:48 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-05-11  4:58 [gentoo-user] I've been hacked Grant
2010-05-11  5:33 ` Mick
2010-05-11  6:54   ` Grant
2010-05-11  7:39     ` Norman Rieß
2010-05-11 14:09       ` Mick
2010-05-11 19:28         ` Grant
2010-05-11 19:40           ` Paul Hartman
2010-05-11 19:48           ` Nikos Chantziaras [this message]
2010-05-12 11:40           ` Adam
2010-05-11 14:29     ` Paul Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='hscc8p$jk4$1@dough.gmane.org' \
    --to=realnc@arcor.de \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox