Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 18 Jan 2006 11:29:38 +0200
From:      Kilian Hagemann <hagemann1@egs.uct.ac.za>
To:        freebsd-questions@freebsd.org
Subject:   Re: Have I been hacked or is nmap wrong?
Message-ID:  <200601181129.38634.hagemann1@egs.uct.ac.za>
In-Reply-To: <078501c61b8b$478265d0$4df24243@tsgincorporated.com>
References:  <200601171907.17831.hagemann1@egs.uct.ac.za> <078501c61b8b$478265d0$4df24243@tsgincorporated.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tuesday 17 January 2006 19:27, Micheal Patterson pondered:
> > The 1663 ports scanned but not shown below are in state: filtered)
> > PORT     STATE SERVICE
> > 80/tcp   open  http
> > 554/tcp  open  rtsp
> > 1755/tcp open  wms
> > 5190/tcp open  aol
>
> Kilian, what does a sockstat show you on those systems and are there any
> nats on either of these systems that would have a redirect_address to
> something behind them?

sockstat -4l only shows up the processes serving the LAN (dnsmasq, samba) as 
well as sshd:
USER	COMMAND	PID   FD PROTOLOCAL ADDRESS	FOREIGN ADDRESS
root		smbd       		484   18 tcp4   	192.168.133.1:445     	*:*
root     	smbd       		484   19 tcp4   	192.168.133.1:139     	*:*
root     	nmbd       		480   6  udp4   	*:137                 	*:*
root     	nmbd       		480   7  udp4   	*:138                 	*:*
root     	nmbd       		480   8  udp4   	192.168.133.1:137     	*:*
root     	nmbd       		480   9  udp4   	192.168.133.1:138     	*:*
nobody   	dnsmasq    	458   1  udp4   	*:56212               	*:*
nobody   	dnsmasq    	458   3  udp4   	*:53                  		*:*
nobody   	dnsmasq    	458   4  tcp4   	*:53                  		*:*
nobody   	dnsmasq    	458   5  udp4   	*:67                  		*:*
root     	sshd       		432   3  tcp4   	*:22                  		*:*
root     	syslogd    		311   4  udp4   	*:514                 	*:*

So nothing suspect at all here. Yes, the systems are natted(with above system 
LAN on 192.168.133.0/24), using ppp -nat. I have no specific redirects set 
up, and only a "allow tcp/udp from LAN to WAN/any setup keep-state" dynamic 
rule, but that should be unrelated.

If my server is not compromised, how the heck could an http/rtsp/wms/aol 
redirect sneak in there without me explicitly enabling it?

-- 
Kilian Hagemann

Climate Systems Analysis Group
University of Cape Town
Republic of South Africa
Tel(w): ++27 21 650 2748



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200601181129.38634.hagemann1>