1 |
>>>>> I nmap'ed one of my remote Gentoo servers today and besides the |
2 |
>>>>> expected open ports were these: |
3 |
>>>>> |
4 |
>>>>> 1080/tcp open socks |
5 |
>>>>> 3128/tcp open squid-http |
6 |
>>>>> 8080/tcp open http-proxy |
7 |
>>>>> |
8 |
>>>>> I'm not running any sort of proxy software that I know of and I should |
9 |
>>>>> be the only person whatsoever with access to the machine. 'netstat |
10 |
>>>>> -l' doesn't show any info on those ports at all so I suppose it's been |
11 |
>>>>> hacked as well? I installed and ran 'rkhunter --check' (what happened |
12 |
>>>>> to the chrootkit ebuild?) but it doesn't seem to be much use since I |
13 |
>>>>> hadn't established a "file of stored file properties". |
14 |
>>>>> |
15 |
>>>>> What do you guys think is going on? What should I do from here? |
16 |
>>>>> |
17 |
>>>> |
18 |
>>>> What does lsof (I'd reinstall it afresh) show with regards to strange |
19 |
>>>> users? |
20 |
>>>> What users the above services run under. If indeed they are not |
21 |
>>>> legitimate |
22 |
>>>> and you confirm that they are not being run as packages that you |
23 |
>>>> installed, |
24 |
>>>> then I'm afraid the only sane option is to reinstall. |
25 |
>>>> |
26 |
>>> |
27 |
>>> Wow. I'm actually seeing the same thing from other domains I nmap. |
28 |
>>> Could my ISP have some kind of a weird environment set up that makes |
29 |
>>> it look like there are ports such as these open on remote systems? |
30 |
>>> Right now I'm on some kind of a shared connection where everyone has |
31 |
>>> their own modem or router or whatever it is, but I think everyone's IP |
32 |
>>> is the same. |
33 |
>>> |
34 |
>>> - Grant |
35 |
>>> |
36 |
>>> |
37 |
>> |
38 |
>> Hello, |
39 |
>> |
40 |
>> looks like, your ISP has a Transparent Proxy Setup running. |
41 |
|
42 |
Should I be worried about that? |
43 |
|
44 |
> Ports being shown as open does not mean that your machine is |
45 |
> listening, more like the firewall has some holes in it. If the |
46 |
|
47 |
Really? I thought a service had to be listening for the port to be |
48 |
open. So from nmap, there is no way to tell the difference between a |
49 |
port that isn't blocked by a firewall and one that is listening? |
50 |
|
51 |
> firewall is not configured/running on your server itself, then you may |
52 |
> be alright. Can you actually connect to your server using those |
53 |
> ports? |
54 |
|
55 |
If I enter the server's IP appended with one of the port numbers |
56 |
listed above into a web browser, I get: |
57 |
|
58 |
"tinyproxy 1.6.0 |
59 |
The page you requested was unavailable. The error code is listed |
60 |
below. In addition, the HTML file which has been configured as the |
61 |
page to be displayed when an error of this type was unavailable, with |
62 |
the error code 14 (Bad address). Please contact your administrator. |
63 |
Bad Request" |
64 |
|
65 |
The thing is, I get the same thing from any domain I enter appended |
66 |
with one of those ports. |
67 |
|
68 |
> Have you tried telnet, or nc -v -z <your_host_name> <port> to see if |
69 |
> they are open? |
70 |
|
71 |
Can you tell me what package nc is included in? |
72 |
|
73 |
- Grant |