1 |
>> I nmap'ed one of my remote Gentoo servers today and besides the |
2 |
>> expected open ports were these: |
3 |
>> |
4 |
>> 1080/tcp open socks |
5 |
>> 3128/tcp open squid-http |
6 |
>> 8080/tcp open http-proxy |
7 |
>> |
8 |
>> I'm not running any sort of proxy software that I know of and I should |
9 |
>> be the only person whatsoever with access to the machine. 'netstat |
10 |
>> -l' doesn't show any info on those ports at all so I suppose it's been |
11 |
>> hacked as well? I installed and ran 'rkhunter --check' (what happened |
12 |
>> to the chrootkit ebuild?) but it doesn't seem to be much use since I |
13 |
>> hadn't established a "file of stored file properties". |
14 |
>> |
15 |
>> What do you guys think is going on? What should I do from here? |
16 |
> |
17 |
> What does lsof (I'd reinstall it afresh) show with regards to strange users? |
18 |
> What users the above services run under. If indeed they are not legitimate |
19 |
> and you confirm that they are not being run as packages that you installed, |
20 |
> then I'm afraid the only sane option is to reinstall. |
21 |
|
22 |
Wow. I'm actually seeing the same thing from other domains I nmap. |
23 |
Could my ISP have some kind of a weird environment set up that makes |
24 |
it look like there are ports such as these open on remote systems? |
25 |
Right now I'm on some kind of a shared connection where everyone has |
26 |
their own modem or router or whatever it is, but I think everyone's IP |
27 |
is the same. |
28 |
|
29 |
- Grant |