that guggenheim story almost made me puke up the two pounds of raw tuna i just ate.
download lsof and send us the output of "lsof -i TCP" btw, keystroke loggers wouldn't listen on a tcp port. if you really think your box has been compromised, you should wipe the machine and reinstall instead of trying to find holes to close. it's really the only way to be sure. =jay On 17 Apr 2002, Joshua Newman wrote: > > So I ran nmap on my home machine feeling interested in trying out my > new security skills and what I found is not pretty. > > Basically this list reminds me of a college friend who's 10 year old > brother licked the railing all the way down the Guggenheim and then > broke out in 5 different kind of sores about 3 days later. > > I know that Trinoo_Master running on 27374 and subseven on > 27665 are both remote hacker gaping holes. I'm suspicious about other > things but does anyone recognize some of these nasty wounds > festering. > > One thing I am worried about is a keystroke monitor, because I have > used ssh to log into several over machines and am wondering if those > machines are compromised too. Port sniffers wouldn't get my password > with ssh, but a keyboard monitor would. Are keystroke monitors in > linux at the level of X or the kernel? And is anything in the list > below indicative of one? > > The list follows, and don't worry, most of the open things have been > subsequently shut. > > Go easy, my pussy is sore. > > joshua > > 17/tcp closed qotd > 18/tcp closed msp > 20/tcp closed ftp-data > 21/tcp open ftp > 22/tcp open ssh > 23/tcp open telnet > 25/tcp open smtp > 42/tcp closed nameserver > 53/tcp open domain > 59/tcp closed priv-file > 79/tcp open finger > 82/tcp closed xfer > 84/tcp closed ctf > 88/tcp closed kerberos-sec > 93/tcp closed dcp > 99/tcp closed metagram > 110/tcp closed pop-3 > 111/tcp open sunrpc > 154/tcp closed netsc-prod > 160/tcp closed sgmp-traps > 167/tcp closed namp > 188/tcp closed mumps > 195/tcp closed dn6-nlm-aud > 196/tcp closed dn6-smm-red > 214/tcp closed vmpwscs > 221/tcp closed fln-spx > 223/tcp closed cdc > 244/tcp closed dayna > 263/tcp closed hdap > 310/tcp closed bhmds > 364/tcp closed aurora-cmgr > 516/tcp closed videotex > 523/tcp closed ibm-db2 > 537/tcp closed nmsp > 541/tcp closed uucp-rlogin > 544/tcp closed kshell > 547/tcp closed dhcpv6-server > 577/tcp closed vnas > 588/tcp closed cal > 591/tcp closed http-alt > 592/tcp closed eudora-set > 593/tcp closed http-rpc-epmap > 763/tcp closed cycleserv > 773/tcp closed submit > 776/tcp closed wpages > 781/tcp closed hp-collector > 873/tcp open rsync > 880/tcp closed unknown > 900/tcp closed unknown > 901/tcp open samba-swat > 1348/tcp closed bbn-mmx > 1355/tcp closed intuitive-edge > 1367/tcp closed dcs > 1387/tcp closed cadsi-lm > 1391/tcp closed iclpv-sas > 1392/tcp closed iclpv-pm > 1398/tcp closed video-activmail > 1418/tcp closed timbuktu-srv2 > 1436/tcp closed sas-2 > 1439/tcp closed eicon-x25 > 1444/tcp closed marcam-lm > 1453/tcp closed genie-lm > 1467/tcp closed csdmbase > 1470/tcp closed uaiact > 1474/tcp closed telefinder > 1486/tcp closed nms_topo_serv > 1490/tcp closed insitu-conf > 1500/tcp closed vlsi-lm > 1512/tcp closed wins > 1513/tcp closed fujitsu-dtc > 1526/tcp closed pdap-np > 1540/tcp closed rds > 1669/tcp closed netview-aix-9 > 1998/tcp closed x25-svc-port > 2003/tcp closed cfingerd > 2008/tcp closed conf > 2020/tcp closed xinupageserver > 2021/tcp closed servexec > 2026/tcp closed scrabble > 2035/tcp closed imsldoc > 2112/tcp closed kip > 2241/tcp closed ivsd > 3006/tcp closed deslogind > 3306/tcp open mysql > 3462/tcp closed track > 3985/tcp closed mapper-mapethd > 4008/tcp closed netcheque > 4672/tcp closed rfa > 5190/tcp closed aol > 5192/tcp closed aol-2 > 5715/tcp closed prosharedata > 5999/tcp closed ncd-conf > 6000/tcp open X11 > 6004/tcp closed X11:4 > 6010/tcp open unknown > 7100/tcp closed font-service > 8021/tcp open unknown > 8080/tcp open http-proxy > 10005/tcp closed stel > 12000/tcp closed cce4x > 27374/tcp closed subseven > 27665/tcp closed Trinoo_Master > 32768/tcp open unknown > 32773/tcp closed sometimes-rpc9 > 32786/tcp closed sometimes-rpc25 > 32787/tcp closed sometimes-rpc27 > 44443/tcp closed coldfusion-auth > 61440/tcp closed netprowler-manager2 > 65301/tcp closed pcanywhere > > > > > > > > _______________________________________________ > Bits mailing list > [EMAIL PROTECTED] > http://www.sugoi.org/mailman/listinfo/bits > _______________________________________________ Bits mailing list [EMAIL PROTECTED] http://www.sugoi.org/mailman/listinfo/bits
