I have been hacked (WAS: Have I been hacked or is nmap wrong?)

On Wednesday 18 January 2006 14:34, Ken Stevenson pondered:
> Is there any chance you have a router that's forwarding the ports
> in question to another computer?

Not that I know of. The setup is quite simple:

wireless ethernet(PPPoE) ethernet
ISP<------->Modem<------>FreeBSD gateway<------->LAN

FreeBSD is my router with ppp -ddial -nat and a custom ipfw script that blocks
all incoming connections while allowing legitimate traffic out (with
keep-state rules).

Check this out: ftp <my_server> gives

220 Frox transparent ftp proxy. Login with username[@host[:port]]
Name (...)

I have never even heard of "frox" before, but after some googling it turns out
that it's a GPL'ed transparent ftp proxy...

Also, I said smtp ports were open on the machines in question, I just verified
that I can send emails via BOTH these systems even though no
sendmail/exim/whatever was ever installed by me and sendmail_enable="None" on
both.

My servers have been compromised, fantastic. And that with an initial
firewall'ed setup that left NO open ports (I verified that a while ago with
nmap). So much for my impression that FreeBSD was secure.

How could this have happened? ipfw buffer overflow? Some other unknown
vulnerability?

I really wanna find out how they got in (syslog offers no clues btw, I've been
rootkitted after all :-( Any suggestions other than
format/reinstall/tripwire?

--
Kilian Hagemann

Climate Systems Analysis Group
University of Cape Town
Republic of South Africa
Tel(w): ++27 21 650 2748
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: 2 pc network - cant see host files from pc 2 on pc 1
    ... Assuming that you have firewall protection via your internet router try ... workgroup because it will be needed for the network to work correctly. ... see if you can access TCP ports 139 and 445 on computer one of which at ... permissions. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Do I need these services listening?
    ... > first computer that has the modem & router, so I call the second one ... Your Netgear router should connect to the internet. ... Your Netgear router should have the public IP address. ... that if the ports look closed even ...
    (comp.security.firewalls)
  • [VulnWatch] 3Com OfficeConnect Remote 812 ADSL router exposes internal LAN computers ports during ou
    ... ports during outbound and inbound TCP and UDP sessions. ... The 3Com 812 is a widely-deployed router, found in many ISPs ADSL lines. ... for internet access. ...
    (VulnWatch)
  • Re: ISA 2004 - How to allow Guest and Client access from wireless
    ... peace and quiet here are great for working; it's just the darn internet ... access and now wireless that are a pain in the rear. ... That could plug into another port on the router. ... The router has 4 "internal" ports; one is taken up by the cable ...
    (microsoft.public.windows.server.sbs)
  • Re: ATTN Tony Whitmore please
    ... I've not used your router before, but I've just been looking up ... that the router is configured with ports 80 and 23 open on the public ... log into your router using the ARM interface. ... telnet and http access to just your local network. ...
    (comp.security.firewalls)