1 |
On 05/11/2010 10:28 PM, Grant wrote: |
2 |
>>>>>> I nmap'ed one of my remote Gentoo servers today and besides the |
3 |
>>>>>> expected open ports were these: |
4 |
>>>>>> |
5 |
>>>>>> 1080/tcp open socks |
6 |
>>>>>> 3128/tcp open squid-http |
7 |
>>>>>> 8080/tcp open http-proxy |
8 |
>>>>>> |
9 |
>>>>>> I'm not running any sort of proxy software that I know of and I should |
10 |
>>>>>> be the only person whatsoever with access to the machine. 'netstat |
11 |
>>>>>> -l' doesn't show any info on those ports at all so I suppose it's been |
12 |
>>>>>> hacked as well? I installed and ran 'rkhunter --check' (what happened |
13 |
>>>>>> to the chrootkit ebuild?) but it doesn't seem to be much use since I |
14 |
>>>>>> hadn't established a "file of stored file properties". |
15 |
>>>>>> |
16 |
>>>>>> What do you guys think is going on? What should I do from here? |
17 |
>>>>>> |
18 |
>>>>> |
19 |
>>>>> What does lsof (I'd reinstall it afresh) show with regards to strange |
20 |
>>>>> users? |
21 |
>>>>> What users the above services run under. If indeed they are not |
22 |
>>>>> legitimate |
23 |
>>>>> and you confirm that they are not being run as packages that you |
24 |
>>>>> installed, |
25 |
>>>>> then I'm afraid the only sane option is to reinstall. |
26 |
>>>>> |
27 |
>>>> |
28 |
>>>> Wow. I'm actually seeing the same thing from other domains I nmap. |
29 |
>>>> Could my ISP have some kind of a weird environment set up that makes |
30 |
>>>> it look like there are ports such as these open on remote systems? |
31 |
>>>> Right now I'm on some kind of a shared connection where everyone has |
32 |
>>>> their own modem or router or whatever it is, but I think everyone's IP |
33 |
>>>> is the same. |
34 |
>>>> |
35 |
>>>> - Grant |
36 |
>>>> |
37 |
>>>> |
38 |
>>> |
39 |
>>> Hello, |
40 |
>>> |
41 |
>>> looks like, your ISP has a Transparent Proxy Setup running. |
42 |
> |
43 |
> Should I be worried about that? |
44 |
|
45 |
"Your ISP" in this case means the ISP of your home, not the server's. |
46 |
That means you will see these ports apparently open for every |
47 |
IP/hostname you try. |