1 |
On Tuesday 11 May 2010 05:58:28 Grant wrote: |
2 |
> I nmap'ed one of my remote Gentoo servers today and besides the |
3 |
> expected open ports were these: |
4 |
> |
5 |
> 1080/tcp open socks |
6 |
> 3128/tcp open squid-http |
7 |
> 8080/tcp open http-proxy |
8 |
> |
9 |
> I'm not running any sort of proxy software that I know of and I should |
10 |
> be the only person whatsoever with access to the machine. 'netstat |
11 |
> -l' doesn't show any info on those ports at all so I suppose it's been |
12 |
> hacked as well? I installed and ran 'rkhunter --check' (what happened |
13 |
> to the chrootkit ebuild?) but it doesn't seem to be much use since I |
14 |
> hadn't established a "file of stored file properties". |
15 |
> |
16 |
> What do you guys think is going on? What should I do from here? |
17 |
|
18 |
What does lsof (I'd reinstall it afresh) show with regards to strange users? |
19 |
What users the above services run under. If indeed they are not legitimate |
20 |
and you confirm that they are not being run as packages that you installed, |
21 |
then I'm afraid the only sane option is to reinstall. |
22 |
|
23 |
-- |
24 |
Regards, |
25 |
Mick |