Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 18 Jan 2006 07:34:51 -0500
From:      Ken Stevenson <ken@abbott.allenmyland.com>
To:        Kilian Hagemann <hagemann1@egs.uct.ac.za>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Have I been hacked or is nmap wrong?
Message-ID:  <20060118123451.GA69630@abbott.allenmyland.com>
In-Reply-To: <200601181129.38634.hagemann1@egs.uct.ac.za>
References:  <200601171907.17831.hagemann1@egs.uct.ac.za> <078501c61b8b$478265d0$4df24243@tsgincorporated.com> <200601181129.38634.hagemann1@egs.uct.ac.za>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Jan 18, 2006 at 11:29:38AM +0200, Kilian Hagemann wrote:
> On Tuesday 17 January 2006 19:27, Micheal Patterson pondered:
> > > The 1663 ports scanned but not shown below are in state: filtered)
> > > PORT     STATE SERVICE
> > > 80/tcp   open  http
> > > 554/tcp  open  rtsp
> > > 1755/tcp open  wms
> > > 5190/tcp open  aol
> >
> > Kilian, what does a sockstat show you on those systems and are there any
> > nats on either of these systems that would have a redirect_address to
> > something behind them?
> 
> sockstat -4l only shows up the processes serving the LAN (dnsmasq, samba) as 
> well as sshd:
> USER	COMMAND	PID   FD PROTOLOCAL ADDRESS	FOREIGN ADDRESS
> root		smbd       		484   18 tcp4   	192.168.133.1:445     	*:*
> root     	smbd       		484   19 tcp4   	192.168.133.1:139     	*:*
> root     	nmbd       		480   6  udp4   	*:137                 	*:*
> root     	nmbd       		480   7  udp4   	*:138                 	*:*
> root     	nmbd       		480   8  udp4   	192.168.133.1:137     	*:*
> root     	nmbd       		480   9  udp4   	192.168.133.1:138     	*:*
> nobody   	dnsmasq    	458   1  udp4   	*:56212               	*:*
> nobody   	dnsmasq    	458   3  udp4   	*:53                  		*:*
> nobody   	dnsmasq    	458   4  tcp4   	*:53                  		*:*
> nobody   	dnsmasq    	458   5  udp4   	*:67                  		*:*
> root     	sshd       		432   3  tcp4   	*:22                  		*:*
> root     	syslogd    		311   4  udp4   	*:514                 	*:*
> 
> So nothing suspect at all here. Yes, the systems are natted(with above system 
> LAN on 192.168.133.0/24), using ppp -nat. I have no specific redirects set 
> up, and only a "allow tcp/udp from LAN to WAN/any setup keep-state" dynamic 
> rule, but that should be unrelated.
> 
> If my server is not compromised, how the heck could an http/rtsp/wms/aol 
> redirect sneak in there without me explicitly enabling it?
> 
Is there any chance you have a router that's forwarding the ports
in question to another computer?
-- 
Ken Stevenson
Allen-Myland Inc.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060118123451.GA69630>