1 |
On 11 May 2010 08:39, Norman Rieß <norman@×××××××××.org> wrote: |
2 |
> Am 05/11/10 08:54, schrieb Grant: |
3 |
>>>> |
4 |
>>>> I nmap'ed one of my remote Gentoo servers today and besides the |
5 |
>>>> expected open ports were these: |
6 |
>>>> |
7 |
>>>> 1080/tcp open socks |
8 |
>>>> 3128/tcp open squid-http |
9 |
>>>> 8080/tcp open http-proxy |
10 |
>>>> |
11 |
>>>> I'm not running any sort of proxy software that I know of and I should |
12 |
>>>> be the only person whatsoever with access to the machine. 'netstat |
13 |
>>>> -l' doesn't show any info on those ports at all so I suppose it's been |
14 |
>>>> hacked as well? I installed and ran 'rkhunter --check' (what happened |
15 |
>>>> to the chrootkit ebuild?) but it doesn't seem to be much use since I |
16 |
>>>> hadn't established a "file of stored file properties". |
17 |
>>>> |
18 |
>>>> What do you guys think is going on? What should I do from here? |
19 |
>>>> |
20 |
>>> |
21 |
>>> What does lsof (I'd reinstall it afresh) show with regards to strange |
22 |
>>> users? |
23 |
>>> What users the above services run under. If indeed they are not |
24 |
>>> legitimate |
25 |
>>> and you confirm that they are not being run as packages that you |
26 |
>>> installed, |
27 |
>>> then I'm afraid the only sane option is to reinstall. |
28 |
>>> |
29 |
>> |
30 |
>> Wow. I'm actually seeing the same thing from other domains I nmap. |
31 |
>> Could my ISP have some kind of a weird environment set up that makes |
32 |
>> it look like there are ports such as these open on remote systems? |
33 |
>> Right now I'm on some kind of a shared connection where everyone has |
34 |
>> their own modem or router or whatever it is, but I think everyone's IP |
35 |
>> is the same. |
36 |
>> |
37 |
>> - Grant |
38 |
>> |
39 |
>> |
40 |
> |
41 |
> Hello, |
42 |
> |
43 |
> looks like, your ISP has a Transparent Proxy Setup running. |
44 |
|
45 |
Ports being shown as open does not mean that your machine is |
46 |
listening, more like the firewall has some holes in it. If the |
47 |
firewall is not configured/running on your server itself, then you may |
48 |
be alright. Can you actually connect to your server using those |
49 |
ports? |
50 |
|
51 |
Have you tried telnet, or nc -v -z <your_host_name> <port> to see if |
52 |
they are open? |
53 |
|
54 |
If the above as well as lsof show nothing, can you nmap your machine |
55 |
from within the LAN that it is hosted in? |
56 |
|
57 |
HTH. |
58 |
-- |
59 |
Regards, |
60 |
Mick |