>> I nmap'ed one of my remote Gentoo servers today and besides the >> expected open ports were these: >> >> 1080/tcp open socks >> 3128/tcp open squid-http >> 8080/tcp open http-proxy >> >> I'm not running any sort of proxy software that I know of and I should >> be the only person whatsoever with access to the machine. 'netstat >> -l' doesn't show any info on those ports at all so I suppose it's been >> hacked as well? I installed and ran 'rkhunter --check' (what happened >> to the chrootkit ebuild?) but it doesn't seem to be much use since I >> hadn't established a "file of stored file properties". >> >> What do you guys think is going on? What should I do from here? > > What does lsof (I'd reinstall it afresh) show with regards to strange users? > What users the above services run under. If indeed they are not legitimate > and you confirm that they are not being run as packages that you installed, > then I'm afraid the only sane option is to reinstall.
Wow. I'm actually seeing the same thing from other domains I nmap. Could my ISP have some kind of a weird environment set up that makes it look like there are ports such as these open on remote systems? Right now I'm on some kind of a shared connection where everyone has their own modem or router or whatever it is, but I think everyone's IP is the same. - Grant