| 1 |
Am 05/11/10 08:54, schrieb Grant: |
| 2 |
>>> I nmap'ed one of my remote Gentoo servers today and besides the |
| 3 |
>>> expected open ports were these: |
| 4 |
>>> |
| 5 |
>>> 1080/tcp open socks |
| 6 |
>>> 3128/tcp open squid-http |
| 7 |
>>> 8080/tcp open http-proxy |
| 8 |
>>> |
| 9 |
>>> I'm not running any sort of proxy software that I know of and I should |
| 10 |
>>> be the only person whatsoever with access to the machine. 'netstat |
| 11 |
>>> -l' doesn't show any info on those ports at all so I suppose it's been |
| 12 |
>>> hacked as well? I installed and ran 'rkhunter --check' (what happened |
| 13 |
>>> to the chrootkit ebuild?) but it doesn't seem to be much use since I |
| 14 |
>>> hadn't established a "file of stored file properties". |
| 15 |
>>> |
| 16 |
>>> What do you guys think is going on? What should I do from here? |
| 17 |
>>> |
| 18 |
>> What does lsof (I'd reinstall it afresh) show with regards to strange users? |
| 19 |
>> What users the above services run under. If indeed they are not legitimate |
| 20 |
>> and you confirm that they are not being run as packages that you installed, |
| 21 |
>> then I'm afraid the only sane option is to reinstall. |
| 22 |
>> |
| 23 |
> Wow. I'm actually seeing the same thing from other domains I nmap. |
| 24 |
> Could my ISP have some kind of a weird environment set up that makes |
| 25 |
> it look like there are ports such as these open on remote systems? |
| 26 |
> Right now I'm on some kind of a shared connection where everyone has |
| 27 |
> their own modem or router or whatever it is, but I think everyone's IP |
| 28 |
> is the same. |
| 29 |
> |
| 30 |
> - Grant |
| 31 |
> |
| 32 |
> |
| 33 |
Hello, |
| 34 |
|
| 35 |
looks like, your ISP has a Transparent Proxy Setup running. |
| 36 |
|
| 37 |
Regards, |
| 38 |
Norman |
Archives