Re: [gentoo-user] I've been hacked.
looks like, your ISP has a Transparent Proxy Setup running. Should I be worried about that? No. Ports being shown as open does not mean that your machine is listening, more like the firewall has some holes in it. If the Really? I thought a service had to be listening for the port to be open. So from nmap, there is no way to tell the difference between a port that isn't blocked by a firewall and one that is listening? You're right - a TCP service does need to be listening for the port to be shown as open. However, a device in the path like a proxy may answer on behalf of the actual destination. ISPs can do this so that you will use their proxy without having to configure a proxy in your browser. Firewalls can block ports in two ways; 1.Reject the packet, that is, respond to the SYN with an RST packet (which is also what the operating system does if the port is closed) and not forward the packet to the destination 2. Drop the packet, that is, dont respond to the packet or forward it on to the destination.
Re: [gentoo-user] I've been hacked.
I nmap'ed one of my remote Gentoo servers today and besides the expected open ports were these: 1080/tcp open socks 3128/tcp open squid-http 8080/tcp open http-proxy I'm not running any sort of proxy software that I know of and I should be the only person whatsoever with access to the machine. 'netstat -l' doesn't show any info on those ports at all so I suppose it's been hacked as well? I installed and ran 'rkhunter --check' (what happened to the chrootkit ebuild?) but it doesn't seem to be much use since I hadn't established a file of stored file properties. What do you guys think is going on? What should I do from here? What does lsof (I'd reinstall it afresh) show with regards to strange users? What users the above services run under. If indeed they are not legitimate and you confirm that they are not being run as packages that you installed, then I'm afraid the only sane option is to reinstall. Wow. I'm actually seeing the same thing from other domains I nmap. Could my ISP have some kind of a weird environment set up that makes it look like there are ports such as these open on remote systems? Right now I'm on some kind of a shared connection where everyone has their own modem or router or whatever it is, but I think everyone's IP is the same. - Grant
Re: [gentoo-user] I've been hacked.
Am 05/11/10 08:54, schrieb Grant: I nmap'ed one of my remote Gentoo servers today and besides the expected open ports were these: 1080/tcp open socks 3128/tcp open squid-http 8080/tcp open http-proxy I'm not running any sort of proxy software that I know of and I should be the only person whatsoever with access to the machine. 'netstat -l' doesn't show any info on those ports at all so I suppose it's been hacked as well? I installed and ran 'rkhunter --check' (what happened to the chrootkit ebuild?) but it doesn't seem to be much use since I hadn't established a file of stored file properties. What do you guys think is going on? What should I do from here? What does lsof (I'd reinstall it afresh) show with regards to strange users? What users the above services run under. If indeed they are not legitimate and you confirm that they are not being run as packages that you installed, then I'm afraid the only sane option is to reinstall. Wow. I'm actually seeing the same thing from other domains I nmap. Could my ISP have some kind of a weird environment set up that makes it look like there are ports such as these open on remote systems? Right now I'm on some kind of a shared connection where everyone has their own modem or router or whatever it is, but I think everyone's IP is the same. - Grant Hello, looks like, your ISP has a Transparent Proxy Setup running. Regards, Norman
Re: [gentoo-user] I've been hacked.
On 11 May 2010 08:39, Norman Rieß nor...@smash-net.org wrote: Am 05/11/10 08:54, schrieb Grant: I nmap'ed one of my remote Gentoo servers today and besides the expected open ports were these: 1080/tcp open socks 3128/tcp open squid-http 8080/tcp open http-proxy I'm not running any sort of proxy software that I know of and I should be the only person whatsoever with access to the machine. 'netstat -l' doesn't show any info on those ports at all so I suppose it's been hacked as well? I installed and ran 'rkhunter --check' (what happened to the chrootkit ebuild?) but it doesn't seem to be much use since I hadn't established a file of stored file properties. What do you guys think is going on? What should I do from here? What does lsof (I'd reinstall it afresh) show with regards to strange users? What users the above services run under. If indeed they are not legitimate and you confirm that they are not being run as packages that you installed, then I'm afraid the only sane option is to reinstall. Wow. I'm actually seeing the same thing from other domains I nmap. Could my ISP have some kind of a weird environment set up that makes it look like there are ports such as these open on remote systems? Right now I'm on some kind of a shared connection where everyone has their own modem or router or whatever it is, but I think everyone's IP is the same. - Grant Hello, looks like, your ISP has a Transparent Proxy Setup running. Ports being shown as open does not mean that your machine is listening, more like the firewall has some holes in it. If the firewall is not configured/running on your server itself, then you may be alright. Can you actually connect to your server using those ports? Have you tried telnet, or nc -v -z your_host_name port to see if they are open? If the above as well as lsof show nothing, can you nmap your machine from within the LAN that it is hosted in? HTH. -- Regards, Mick
Re: [gentoo-user] I've been hacked.
On Tue, May 11, 2010 at 1:54 AM, Grant emailgr...@gmail.com wrote: I nmap'ed one of my remote Gentoo servers today and besides the expected open ports were these: 1080/tcp open socks 3128/tcp open squid-http 8080/tcp open http-proxy I'm not running any sort of proxy software that I know of and I should be the only person whatsoever with access to the machine. 'netstat -l' doesn't show any info on those ports at all so I suppose it's been hacked as well? I installed and ran 'rkhunter --check' (what happened to the chrootkit ebuild?) but it doesn't seem to be much use since I hadn't established a file of stored file properties. What do you guys think is going on? What should I do from here? What does lsof (I'd reinstall it afresh) show with regards to strange users? What users the above services run under. If indeed they are not legitimate and you confirm that they are not being run as packages that you installed, then I'm afraid the only sane option is to reinstall. Wow. I'm actually seeing the same thing from other domains I nmap. Could my ISP have some kind of a weird environment set up that makes it look like there are ports such as these open on remote systems? Right now I'm on some kind of a shared connection where everyone has their own modem or router or whatever it is, but I think everyone's IP is the same. Like Norman suggested, sounds like maybe your ISP or local IT staff are playing man-in-the-middle. Try running the Netalyzer (warning: java) maybe it can tell you about it. http://netalyzr.icsi.berkeley.edu/ Otherwise, I would try to nmap your server from a different internet connection when possible. Hopefully you won't see those ports open on your server. Hopefully. :) I think nmap is typically not recommended to be run from behind router/NAT because the results are not necessarily true.
Re: [gentoo-user] I've been hacked.
I nmap'ed one of my remote Gentoo servers today and besides the expected open ports were these: 1080/tcp open socks 3128/tcp open squid-http 8080/tcp open http-proxy I'm not running any sort of proxy software that I know of and I should be the only person whatsoever with access to the machine. 'netstat -l' doesn't show any info on those ports at all so I suppose it's been hacked as well? I installed and ran 'rkhunter --check' (what happened to the chrootkit ebuild?) but it doesn't seem to be much use since I hadn't established a file of stored file properties. What do you guys think is going on? What should I do from here? What does lsof (I'd reinstall it afresh) show with regards to strange users? What users the above services run under. If indeed they are not legitimate and you confirm that they are not being run as packages that you installed, then I'm afraid the only sane option is to reinstall. Wow. I'm actually seeing the same thing from other domains I nmap. Could my ISP have some kind of a weird environment set up that makes it look like there are ports such as these open on remote systems? Right now I'm on some kind of a shared connection where everyone has their own modem or router or whatever it is, but I think everyone's IP is the same. - Grant Hello, looks like, your ISP has a Transparent Proxy Setup running. Should I be worried about that? Ports being shown as open does not mean that your machine is listening, more like the firewall has some holes in it. If the Really? I thought a service had to be listening for the port to be open. So from nmap, there is no way to tell the difference between a port that isn't blocked by a firewall and one that is listening? firewall is not configured/running on your server itself, then you may be alright. Can you actually connect to your server using those ports? If I enter the server's IP appended with one of the port numbers listed above into a web browser, I get: tinyproxy 1.6.0 The page you requested was unavailable. The error code is listed below. In addition, the HTML file which has been configured as the page to be displayed when an error of this type was unavailable, with the error code 14 (Bad address). Please contact your administrator. Bad Request The thing is, I get the same thing from any domain I enter appended with one of those ports. Have you tried telnet, or nc -v -z your_host_name port to see if they are open? Can you tell me what package nc is included in? - Grant
Re: [gentoo-user] I've been hacked.
On Tue, May 11, 2010 at 2:28 PM, Grant emailgr...@gmail.com wrote: Can you tell me what package nc is included in? netcat
[gentoo-user] I've been hacked.
I nmap'ed one of my remote Gentoo servers today and besides the expected open ports were these: 1080/tcp open socks 3128/tcp open squid-http 8080/tcp open http-proxy I'm not running any sort of proxy software that I know of and I should be the only person whatsoever with access to the machine. 'netstat -l' doesn't show any info on those ports at all so I suppose it's been hacked as well? I installed and ran 'rkhunter --check' (what happened to the chrootkit ebuild?) but it doesn't seem to be much use since I hadn't established a file of stored file properties. What do you guys think is going on? What should I do from here? - Grant
Re: [gentoo-user] I've been hacked.
On Tuesday 11 May 2010 05:58:28 Grant wrote: I nmap'ed one of my remote Gentoo servers today and besides the expected open ports were these: 1080/tcp open socks 3128/tcp open squid-http 8080/tcp open http-proxy I'm not running any sort of proxy software that I know of and I should be the only person whatsoever with access to the machine. 'netstat -l' doesn't show any info on those ports at all so I suppose it's been hacked as well? I installed and ran 'rkhunter --check' (what happened to the chrootkit ebuild?) but it doesn't seem to be much use since I hadn't established a file of stored file properties. What do you guys think is going on? What should I do from here? What does lsof (I'd reinstall it afresh) show with regards to strange users? What users the above services run under. If indeed they are not legitimate and you confirm that they are not being run as packages that you installed, then I'm afraid the only sane option is to reinstall. -- Regards, Mick signature.asc Description: This is a digitally signed message part.