Have I been hacked or is nmap wrong?

---

• From: Kilian Hagemann <hagemann1@xxxxxxxxxxxxx>
• Date: Tue, 17 Jan 2006 19:07:17 +0200

---

Hi there,

I'm managing two FreeBSD based gateways, one running 5.2.1-RELEASE and the
other 5.3-STABLE, both not having been updated since I installed from ISO
images. They both have custom ipfw firewalls that are dropping pretty much
everything that's not supposed to come in.

All was fine and dandy until one day I noticed that when I nmap'ed them from
the outside, the one shows

The 1663 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
80/tcp open http
554/tcp open rtsp
1755/tcp open wms
5190/tcp open aol

and the other the same without the http bit. When I nmap them from the only
address that they allow ssh&rsync access from (my public IP at work), nmap
says that ftp, smtp and irc(port 6668) are open.

Even though I have sendmail_enable="none" in my rc.conf I still get some
sendmail entries in my syslog so that might explain the open smtp port, but
the others are DEFINITELY NOT supposed to be open.

I haven't noticed anything different on the servers themselves and neither can
I detect these open ports on the machine itself (using lsof -i :1-65535 or
netstat). I also haven't noticed any abnormal traffic volumes originating
from them.

So, have I been hacked and rootkitted? Or is nmap simply lying to me?

I've been subscribed to freebsd-announce and thus seen all SA's to date, but
none of them are relevant to any of my setups.

--
Kilian Hagemann

Climate Systems Analysis Group
University of Cape Town
Republic of South Africa
Tel(w): ++27 21 650 2748
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

---

• Follow-Ups:
  • Re: Have I been hacked or is nmap wrong?
    • From: Micheal Patterson
  • Re: Have I been hacked or is nmap wrong?
    • From: Ken Stevenson

• Prev by Date: Re: Pooomooocyyyy ;(
• Next by Date: Re: rpm equivalent to 'pkg_add -r'?
• Previous by thread: GNOME without media?
• Next by thread: Re: Have I been hacked or is nmap wrong?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Have I been hacked or is nmap wrong? ... > I'm managing two FreeBSD based gateways, ... > The 1663 ports scanned but not shown below are in state: ... When I nmap them from the only ... > sendmail entries in my syslog so that might explain the open smtp port, ... (freebsd-questions) IPFW ... I am new to FreeBSD and would just like to ask something about ipfw. ... Why is it that when I nmap the machine I am working on from another machine ... it still shows port 22 open? ... (comp.unix.bsd.freebsd.misc) partition/cd recognition problem hal GNOME 2.16 FreeBSD RELEASE 6.2 ... FreeBSD elbereth.gateway.2wire.net 6.2-RELEASE FreeBSD ... 0xf0000000-0xf7ffffff,0xffa80000-0xffafffff irq 16 at ... fdc0: port ... perm devstat 0444 ... (freebsd-questions) usb devices dont "wake up" ... Copyright 1992-2008 The FreeBSD Project. ... <ACPI PCI bus> on pcib0 ... port ... soft updates support ... (freebsd-questions) Is FreeBSD ready for desktop (Mozilla Flash) ... monitor,, somehow the install fails to detect ... "Macromedia Flash plugin is not available for FreeBSD. ... I quote again "Install the www/linuxpluginwrapper port. ... servers, ... (comp.unix.bsd.freebsd.misc)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)