| 1 |
>>>>> I nmap'ed one of my remote Gentoo servers today and besides the |
| 2 |
>>>>> expected open ports were these: |
| 3 |
>>>>> |
| 4 |
>>>>> 1080/tcp open socks |
| 5 |
>>>>> 3128/tcp open squid-http |
| 6 |
>>>>> 8080/tcp open http-proxy |
| 7 |
>>>>> |
| 8 |
>>>>> I'm not running any sort of proxy software that I know of and I should |
| 9 |
>>>>> be the only person whatsoever with access to the machine. 'netstat |
| 10 |
>>>>> -l' doesn't show any info on those ports at all so I suppose it's been |
| 11 |
>>>>> hacked as well? I installed and ran 'rkhunter --check' (what happened |
| 12 |
>>>>> to the chrootkit ebuild?) but it doesn't seem to be much use since I |
| 13 |
>>>>> hadn't established a "file of stored file properties". |
| 14 |
>>>>> |
| 15 |
>>>>> What do you guys think is going on? What should I do from here? |
| 16 |
>>>>> |
| 17 |
>>>> |
| 18 |
>>>> What does lsof (I'd reinstall it afresh) show with regards to strange |
| 19 |
>>>> users? |
| 20 |
>>>> What users the above services run under. If indeed they are not |
| 21 |
>>>> legitimate |
| 22 |
>>>> and you confirm that they are not being run as packages that you |
| 23 |
>>>> installed, |
| 24 |
>>>> then I'm afraid the only sane option is to reinstall. |
| 25 |
>>>> |
| 26 |
>>> |
| 27 |
>>> Wow. I'm actually seeing the same thing from other domains I nmap. |
| 28 |
>>> Could my ISP have some kind of a weird environment set up that makes |
| 29 |
>>> it look like there are ports such as these open on remote systems? |
| 30 |
>>> Right now I'm on some kind of a shared connection where everyone has |
| 31 |
>>> their own modem or router or whatever it is, but I think everyone's IP |
| 32 |
>>> is the same. |
| 33 |
>>> |
| 34 |
>>> - Grant |
| 35 |
>>> |
| 36 |
>>> |
| 37 |
>> |
| 38 |
>> Hello, |
| 39 |
>> |
| 40 |
>> looks like, your ISP has a Transparent Proxy Setup running. |
| 41 |
|
| 42 |
Should I be worried about that? |
| 43 |
|
| 44 |
> Ports being shown as open does not mean that your machine is |
| 45 |
> listening, more like the firewall has some holes in it. If the |
| 46 |
|
| 47 |
Really? I thought a service had to be listening for the port to be |
| 48 |
open. So from nmap, there is no way to tell the difference between a |
| 49 |
port that isn't blocked by a firewall and one that is listening? |
| 50 |
|
| 51 |
> firewall is not configured/running on your server itself, then you may |
| 52 |
> be alright. Can you actually connect to your server using those |
| 53 |
> ports? |
| 54 |
|
| 55 |
If I enter the server's IP appended with one of the port numbers |
| 56 |
listed above into a web browser, I get: |
| 57 |
|
| 58 |
"tinyproxy 1.6.0 |
| 59 |
The page you requested was unavailable. The error code is listed |
| 60 |
below. In addition, the HTML file which has been configured as the |
| 61 |
page to be displayed when an error of this type was unavailable, with |
| 62 |
the error code 14 (Bad address). Please contact your administrator. |
| 63 |
Bad Request" |
| 64 |
|
| 65 |
The thing is, I get the same thing from any domain I enter appended |
| 66 |
with one of those ports. |
| 67 |
|
| 68 |
> Have you tried telnet, or nc -v -z <your_host_name> <port> to see if |
| 69 |
> they are open? |
| 70 |
|
| 71 |
Can you tell me what package nc is included in? |
| 72 |
|
| 73 |
- Grant |
Archives