Hi, I take it you are remotely nmapping this machine.
Services coming up in a 'filtered' state are very possibly the upstream ISP blocking access to these services, lpd, nfs and fingerd have an unfortunate history of remotely exploitable bugs, so it wouldnt surprise me if the upstream provider has blocked them. The best option is prob. to use netstat to list the currently listening services, although if you have had an intrusion, your other binaries, including netstat could have been modified to give you false reports, or to hide certain listening services. Unfortunately in cases of intrustion, a clean copy of the operating system is the best option. (IMHO anyways) Because anything could be changed or installed. Although if you can verify the integrity of the binaries, via MD5 hashing, it could save you a bit of time... Anyways, just my 0.02c Keiran Stephan Borg wrote: > Hello all, > > Over the last couple of days, a Debian 2.2r4 box I work on appears to > have been infected by a Trojan. I have since upgraded SSH which I think > was the leak. > > I have done an NMAP on the box. I have removed the known services from > the output, shown below are the results. > > Port State Service > 139/tcp filtered netbios-ssn - I don't have Samba > 515/tcp filtered printer - no lpr as far as I'm > aware > 1080/tcp filtered socks - no socks as far as I'm > aware > 2003/tcp filtered cfingerd - the binary for this one > is on the server, but is not enabled in Inetd > 2049/tcp filtered nfs - No NFS > 12345/tcp filtered NetBus > 12346/tcp filtered NetBus > > I have search high and low, even tried re-installing the procps package, > looking for any clues, but am unable to find anything. > > Does anyone have any helpful information or where I can get a removal > script for this? Your help would be greatly appreciated. > > Stephan Borg > Osgiliath P/L (ACN: 095 048 981) > Mobile: 0402 789 788 > Email: mailto:[EMAIL PROTECTED] > > > _________________________________________________________ > Do You Yahoo!? > Get your free @yahoo.com address at http://mail.yahoo.com > > > -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
