Hello all,
Strange things present themselves that I would greatly appreciate
comments on.
As a random act of paranoia I have portscanned one of the machines at
work with the latest NMAP Beta (2.54BETA22) and got the following:
(snipped version)
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
113/tcp open auth
260/tcp filtered openport
361/tcp open semantix
379/tcp open is99c
557/tcp filtered openvms-sysipc
583/tcp open philips-vc
3000/tcp open ppp
3128/tcp open squid-http
5432/tcp open postgres
20432/tcp open unknown
27665/tcp open Trinoo_Master
This to me looks pretty bad I know. After I had recovered my heart from
the floor and pasted a copy of the new phone list over the hole in the
wall that my boot had just emerged from, I tried the following.
I got a fresh copy of netstat from a machine I know is not compromised
(as I installed it yesterday far away from the net) and ran it on the
box that is possibly compromised. None of the ports mentioned above, as
open, showed up.
Next I tried to telnet to the Trinoo_Master port and rightly got:
telnet: Unable to connect to remote host: Connection refused
and the following in the log:
Apr 5 13:41:14 xx kernel: Packet log: input REJECT eth0 PROTO=6
xxx.xxx.xxx.xxx:3215 yyy.yyy.yyy.yyy:27665 L=60 S=0x00 I=49258 F=0x4000
T=64 SYN (#44)
So the question is:
Is NMAP lying or is there something I am not taking into consideration?
Any help would be much appreciated.
Thanks in advance
Brett
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
