From owner-freebsd-questions@FreeBSD.ORG Wed Jan 18 09:29:57 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C77216A41F for ; Wed, 18 Jan 2006 09:29:57 +0000 (GMT) (envelope-from hagemann1@egs.uct.ac.za) Received: from janeway.egs.uct.ac.za (janeway.egs.uct.ac.za [196.21.8.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C9F043D75 for ; Wed, 18 Jan 2006 09:29:34 +0000 (GMT) (envelope-from hagemann1@egs.uct.ac.za) Received: from [196.21.8.146] (helo=particle.egs.uct.ac.za) by janeway.egs.uct.ac.za with esmtp (Exim 3.36 #4) id 1Ez9dC-00070i-00 for freebsd-questions@freebsd.org; Wed, 18 Jan 2006 11:29:30 +0200 From: Kilian Hagemann Organization: University of Cape Town To: freebsd-questions@freebsd.org Date: Wed, 18 Jan 2006 11:29:38 +0200 User-Agent: KMail/1.8.1 References: <200601171907.17831.hagemann1@egs.uct.ac.za> <078501c61b8b$478265d0$4df24243@tsgincorporated.com> In-Reply-To: <078501c61b8b$478265d0$4df24243@tsgincorporated.com> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200601181129.38634.hagemann1@egs.uct.ac.za> Subject: Re: Have I been hacked or is nmap wrong? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2006 09:29:57 -0000 On Tuesday 17 January 2006 19:27, Micheal Patterson pondered: > > The 1663 ports scanned but not shown below are in state: filtered) > > PORT STATE SERVICE > > 80/tcp open http > > 554/tcp open rtsp > > 1755/tcp open wms > > 5190/tcp open aol > > Kilian, what does a sockstat show you on those systems and are there any > nats on either of these systems that would have a redirect_address to > something behind them? sockstat -4l only shows up the processes serving the LAN (dnsmasq, samba) as well as sshd: USER COMMAND PID FD PROTOLOCAL ADDRESS FOREIGN ADDRESS root smbd 484 18 tcp4 192.168.133.1:445 *:* root smbd 484 19 tcp4 192.168.133.1:139 *:* root nmbd 480 6 udp4 *:137 *:* root nmbd 480 7 udp4 *:138 *:* root nmbd 480 8 udp4 192.168.133.1:137 *:* root nmbd 480 9 udp4 192.168.133.1:138 *:* nobody dnsmasq 458 1 udp4 *:56212 *:* nobody dnsmasq 458 3 udp4 *:53 *:* nobody dnsmasq 458 4 tcp4 *:53 *:* nobody dnsmasq 458 5 udp4 *:67 *:* root sshd 432 3 tcp4 *:22 *:* root syslogd 311 4 udp4 *:514 *:* So nothing suspect at all here. Yes, the systems are natted(with above system LAN on 192.168.133.0/24), using ppp -nat. I have no specific redirects set up, and only a "allow tcp/udp from LAN to WAN/any setup keep-state" dynamic rule, but that should be unrelated. If my server is not compromised, how the heck could an http/rtsp/wms/aol redirect sneak in there without me explicitly enabling it? -- Kilian Hagemann Climate Systems Analysis Group University of Cape Town Republic of South Africa Tel(w): ++27 21 650 2748