Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 17 Jan 2006 19:07:17 +0200
From:      Kilian Hagemann <hagemann1@egs.uct.ac.za>
To:        freebsd-questions@freebsd.org
Subject:   Have I been hacked or is nmap wrong?
Message-ID:  <200601171907.17831.hagemann1@egs.uct.ac.za>

next in thread | raw e-mail | index | archive | help
Hi there,

I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the 
other 5.3-STABLE, both not having been updated since I installed from ISO 
images. They both have custom ipfw firewalls that are dropping pretty much 
everything that's not supposed to come in.

All was fine and dandy until one day I noticed that when I nmap'ed them from 
the outside, the one shows

The 1663 ports scanned but not shown below are in state: filtered)
PORT     STATE SERVICE
80/tcp   open  http
554/tcp  open  rtsp
1755/tcp open  wms
5190/tcp open  aol

and the other the same without the http bit. When I nmap them from the only 
address that they allow ssh&rsync access from (my public IP at work), nmap 
says that ftp, smtp and irc(port 6668) are open.

Even though I have sendmail_enable="none" in my rc.conf I still get some 
sendmail entries in my syslog so that might explain the open smtp port, but 
the others are DEFINITELY NOT supposed to be open.

I haven't noticed anything different on the servers themselves and neither can 
I detect these open ports on the machine itself (using lsof -i :1-65535 or 
netstat). I also haven't noticed any abnormal traffic volumes originating 
from them.

So, have I been hacked and rootkitted? Or is nmap simply lying to me?

I've been subscribed to freebsd-announce and thus seen all SA's to date, but 
none of them are relevant to any of my setups.

-- 
Kilian Hagemann

Climate Systems Analysis Group
University of Cape Town
Republic of South Africa
Tel(w): ++27 21 650 2748



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200601171907.17831.hagemann1>