Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Paul Hartman <paul.hartman+gentoo@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] I've been hacked.
Date: Tue, 11 May 2010 14:29:59
Message-Id: AANLkTilajA-TbKMRPFSJhjEGUkPwfY_9_m6NzRBCjOuB@mail.gmail.com
In Reply to: Re: [gentoo-user] I've been hacked. by Grant
1 On Tue, May 11, 2010 at 1:54 AM, Grant <emailgrant@×××××.com> wrote:
2 >>> I nmap'ed one of my remote Gentoo servers today and besides the
3 >>> expected open ports were these:
4 >>>
5 >>> 1080/tcp open socks
6 >>> 3128/tcp open squid-http
7 >>> 8080/tcp open http-proxy
8 >>>
9 >>> I'm not running any sort of proxy software that I know of and I should
10 >>> be the only person whatsoever with access to the machine. 'netstat
11 >>> -l' doesn't show any info on those ports at all so I suppose it's been
12 >>> hacked as well? I installed and ran 'rkhunter --check' (what happened
13 >>> to the chrootkit ebuild?) but it doesn't seem to be much use since I
14 >>> hadn't established a "file of stored file properties".
15 >>>
16 >>> What do you guys think is going on? What should I do from here?
17 >>
18 >> What does lsof (I'd reinstall it afresh) show with regards to strange users?
19 >> What users the above services run under. If indeed they are not legitimate
20 >> and you confirm that they are not being run as packages that you installed,
21 >> then I'm afraid the only sane option is to reinstall.
22 >
23 > Wow. I'm actually seeing the same thing from other domains I nmap.
24 > Could my ISP have some kind of a weird environment set up that makes
25 > it look like there are ports such as these open on remote systems?
26 > Right now I'm on some kind of a shared connection where everyone has
27 > their own modem or router or whatever it is, but I think everyone's IP
28 > is the same.
29
30 Like Norman suggested, sounds like maybe your ISP or local IT staff
31 are playing man-in-the-middle.
32
33 Try running the Netalyzer (warning: java) maybe it can tell you about
34 it. http://netalyzr.icsi.berkeley.edu/
35
36 Otherwise, I would try to nmap your server from a different internet
37 connection when possible. Hopefully you won't see those ports open on
38 your server. Hopefully. :)
39
40 I think nmap is typically not recommended to be run from behind
41 router/NAT because the results are not necessarily true.
Report Message
Find on MARC Find on Google Groups