RE: have I been hacked?!

From owner-freebsd-questions Fri Apr 5 0: 4:16 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail3.ucles.org.uk (mail3.ucles.org.uk [192.149.119.13]) by hub.freebsd.org (Postfix) with ESMTP id 4ECA737B405 for ; Fri, 5 Apr 2002 00:04:06 -0800 (PST) Received: from mail3.ucles.org.uk (unverified) by mail3.ucles.org.uk (Content Technologies SMTPRS 4.2.5) with ESMTP id for ; Fri, 5 Apr 2002 09:00:37 +0100 Received: by forest.nrl.navy.mil with Internet Mail Service (5.5.2653.19) id ; Fri, 5 Apr 2002 09:00:37 +0100 Message-ID: <0B0368CED76DD4118E1200D0B73E9B5D041E9FA8@MAIL1> From: Mike Dewhirst To: questions@freebsd.org Subject: RE: have I been hacked?! Date: Fri, 5 Apr 2002 09:01:04 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C1DC78.08DA1220" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1DC78.08DA1220 Content-Type: text/plain; charset="iso-8859-1" Gets a little stranger. I reboothed the box (before I read these emails) and now the ports are dead - as in they're not listening anymore... would installing a firewall on the same machine be a good security measure, or an overkill? Thank you very much for the help so far and in advance for more :) Mike PS Apologies for HTML mail - M$ Exchange at work.... > -----Original Message----- > From: Joseph Wright [mailto:jwright@mbakercorp.com] > Sent: 04 April 2002 17:39 > To: questions@freebsd.org; Dewhirst.M@UCLES.org.uk > Subject: Re: have I been hacked?! > > > These might just be pieces of software that were installed a > while back. > Both are valid pieces of software listening on the correct port. > > netcheque on 4008 is used for the NetCheque Accounting package > > and > > funproxy 1505 is used for Funk Software, Inc. proxy server > > you might want to check who owns the process use: sockstat > > >>> Mike Dewhirst 04/04/02 05:13PM >>> > I did a netscan of my box (which I;ve not done for 2-3 months or so) > and > spotted this: > > 1505/tcp open funkproxy > 4008/tcp open netcheque > > I've never heard of either. > > Has the system been compromised? > > Any help would be extremely appreciated. > > Mike > > > This message was written in plain text mode. > Everything below the dotted line was not > written by the author of this email. > ---------------------- > > > =********************************************************** > > If you are not the intended recipient, employee or agent responsible > for delivering the message to the intended recipient, you are hereby > notified that any dissemination or copying of this > communication and its > attachments is strictly prohibited. > > If you have received this communication and its attachments in error, > please return the original message and attachments to the sender using > the reply facility on e-mail. > > Internet communications are not secure and therefore the UCLES Group > does not accept legal responsibility for the contents of this > message. > Any views or opinions presented are solely those of the author and do > not necessarily represent those of the UCLES Group unless otherwise > specifically stated. > > This footnote also confirms that this email message has been swept by > MIMEsweeper for the presence of computer viruses although > this does not > guarantee that this email is virus free. > > **********************************************************= > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > =********************************************************** If you are not the intended recipient, employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination or copying of this communication and its attachments is strictly prohibited. If you have received this communication and its attachments in error, please return the original message and attachments to the sender using the reply facility on e-mail. Internet communications are not secure and therefore the UCLES Group does not accept legal responsibility for the contents of this message. Any views or opinions presented are solely those of the author and do not necessarily represent those of the UCLES Group unless otherwise specifically stated. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses although this does not guarantee that this email is virus free. **********************************************************= ------_=_NextPart_001_01C1DC78.08DA1220 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: have I been hacked?!

Gets a little stranger. I reboothed the box (before I rea= d these emails) and now the ports are dead - as in they're not listening an= ymore...

would installing a firewall on the same machine be a good= security measure, or an overkill?

Thank you very much for the help so far and in advance fo= r more :)

Mike

PS Apologies for HTML mail - M$ Exchange at work....

> -----Original Message-----
> From: Joseph Wright [mailto:jwright@mbakercorp.com]
> Sent: 04 April 2002 17:39
> To: questions@freebsd.org; Dewhirst.M@UCLES.org.uk<= /FONT>
> Subject: Re: have I been hacked?!
>
>
> These might just be pieces of software that were in= stalled a
> while back.
> Both are valid pieces of software listening on the = correct port.
>
> netcheque on 4008 is used for the NetCheque Account= ing package
>
> and
>
> funproxy 1505 is used for Funk Software, Inc.= proxy server
>
> you might want to check who owns the process use: s= ockstat
>
> >>> Mike Dewhirst <Dewhirst.M@UCLES.org= .uk> 04/04/02 05:13PM >>>
> I did a netscan of my box (which I;ve not done for = 2-3 months or so)
> and
> spotted this:
>
> 1505/tcp open &n= bsp; funkproxy
> 4008/tcp open &n= bsp; netcheque
>
> I've never heard of either.
>
> Has the system been compromised?
>
> Any help would be extremely appreciated.
>
> Mike
>
>
> This message was written in plain text mode.
> Everything below the dotted line was not
> written by the author of this email.
> ----------------------
>
>
> =3D************************************************= **********
>
> If you are not the intended recipient, employee or = agent responsible
> for delivering the message to the intended recipien= t, you are hereby
> notified that any dissemination or copying of this =
> communication and its
> attachments is strictly prohibited.
>
> If you have received this communication and its att= achments in error,
> please return the original message and attachments = to the sender using
> the reply facility on e-mail.
>
> Internet communications are not secure and therefor= e the UCLES Group
> does not accept legal responsibility for the conten= ts of this
> message.
> Any views or opinions presented are solely those of= the author and do
> not necessarily represent those of the UCLES Group = unless otherwise
> specifically stated.
>
> This footnote also confirms that this email message= has been swept by
> MIMEsweeper for the presence of computer viruses al= though
> this does not
> guarantee that this email is virus free.
>
> ***************************************************= *******=3D
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org<= /FONT>
> with "unsubscribe freebsd-questions" in t= he body of the message
>





=3D**********************************************************



If you are not the intended recipient, employee or agent responsible for de=
livering the message to the intended recipient, you are hereby notified tha=
t any dissemination or copying of this communication and its attachments is=
 strictly prohibited.



If you have received this communication and its attachments in error, pleas=
e return the original message and attachments to the sender using the reply=
 facility on e-mail.



Internet communications are not secure and therefore the UCLES Group does n=
ot accept legal responsibility for the contents of this message.  Any views=
 or opinions presented are solely those of the author and do not necessaril=
y represent those of the UCLES Group unless otherwise specifically stated.<=
BR>


This footnote also confirms that this email message has been swept by

MIMEsweeper for the presence of computer viruses although this does not gua=
rantee that this email is virus free.



**********************************************************=3D

------_=_NextPart_001_01C1DC78.08DA1220-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message