1 |
On Tue, May 11, 2010 at 1:54 AM, Grant <emailgrant@×××××.com> wrote: |
2 |
>>> I nmap'ed one of my remote Gentoo servers today and besides the |
3 |
>>> expected open ports were these: |
4 |
>>> |
5 |
>>> 1080/tcp open socks |
6 |
>>> 3128/tcp open squid-http |
7 |
>>> 8080/tcp open http-proxy |
8 |
>>> |
9 |
>>> I'm not running any sort of proxy software that I know of and I should |
10 |
>>> be the only person whatsoever with access to the machine. 'netstat |
11 |
>>> -l' doesn't show any info on those ports at all so I suppose it's been |
12 |
>>> hacked as well? I installed and ran 'rkhunter --check' (what happened |
13 |
>>> to the chrootkit ebuild?) but it doesn't seem to be much use since I |
14 |
>>> hadn't established a "file of stored file properties". |
15 |
>>> |
16 |
>>> What do you guys think is going on? What should I do from here? |
17 |
>> |
18 |
>> What does lsof (I'd reinstall it afresh) show with regards to strange users? |
19 |
>> What users the above services run under. If indeed they are not legitimate |
20 |
>> and you confirm that they are not being run as packages that you installed, |
21 |
>> then I'm afraid the only sane option is to reinstall. |
22 |
> |
23 |
> Wow. I'm actually seeing the same thing from other domains I nmap. |
24 |
> Could my ISP have some kind of a weird environment set up that makes |
25 |
> it look like there are ports such as these open on remote systems? |
26 |
> Right now I'm on some kind of a shared connection where everyone has |
27 |
> their own modem or router or whatever it is, but I think everyone's IP |
28 |
> is the same. |
29 |
|
30 |
Like Norman suggested, sounds like maybe your ISP or local IT staff |
31 |
are playing man-in-the-middle. |
32 |
|
33 |
Try running the Netalyzer (warning: java) maybe it can tell you about |
34 |
it. http://netalyzr.icsi.berkeley.edu/ |
35 |
|
36 |
Otherwise, I would try to nmap your server from a different internet |
37 |
connection when possible. Hopefully you won't see those ports open on |
38 |
your server. Hopefully. :) |
39 |
|
40 |
I think nmap is typically not recommended to be run from behind |
41 |
router/NAT because the results are not necessarily true. |