[H-GEN] nmap scans
Johann Kwiatkowski
johann at spot-the-dog.com
Sun Dec 15 17:57:51 EST 2002
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi All,
~ I have some questions, and my apologises if this is a bit
long winded. But first the set up, I have a cable modem connection (a
redhat 7.3 running on P75) and have recently moved my mail server (a
permanent dial up connection) to an ADSL connection at my place ( a AMD
450, running redhat 8.0). So this gives me two internet connections. Now
I am not too proficient at iptables, and security (still learning), but
I know enough to turn of all services I don't need, set hosts.deny and
hosts.allow files to block all and only allow and what is needed, to
check my logs on a regular basis and to update all programs as soon as
possible. (Since I currently run redhat 8.0, I have set a cron job to
update nightly). Then the other day I discovered nmap, a did a probe on
what services I was actually exporting to the external interface, and
too my horror I got this response:
Port State Service
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
139/tcp filtered netbios-ssn
443/tcp open https
12345/tcp filtered NetBus
12346/tcp filtered NetBus
31337/tcp filtered Elite
I new the Elite and the Netbus ones weren't meant to be there, a check
revealed that Elite was part of a trojan involving ssh about a year ago)
so my immediate thought was that I'd been hacked. I then disconnected
the mail server from the network. I re-installed another machine with
redhat 7.3, and set the same security parameters etc, and only connected
to the internet (via the ADSL connection, and not connected to the
internal network) when I had to do the updates. As soon as I connected,
I also did and nmap scan, and too my surprise I got very similiar
results. Now I am 99.9% confident that the redhat 8.0 and 7.3 cds that I
have, have no trojans in them (the redhat 8.0 cds I bought as orginal
disks and the 7.3 cds are copies of orginal cds), and I seriously doubt
that I could be hacked in the few minutes or so that it took for the
machine to boot , establish a network connection and for me to do the
nmap scan (although I would imagine this is quite possible). On both
machines I looked for signs that a hack occured, and I could not find
any (including looking through the logs, looking for files like ".. ",
using lsof and grepping for the port numbers that might be open, trying
to telnet in externally (this did not work), checking all of my config
files, looking for alternations). Although I am aware that anyone
serious about hacking into a machine will usually try to cover their
tracks. The only thing I can try is setting up a non-networked machine
and compare the md5 checksums of programes like ps, netstat ls, that may
have been replaced to avoid detection.
I also tried replacing the ip addresses of my mail server, connecting it
to my internal network and port scanning it, and I don't find any of the
dubious services running. So at this moment I am suspecting that my ADSL
modem is somehow involved in showing the extra services or that nmap
maybe be at fault and might be getting confused, however I hold no
judgement until I can uncover the source of the open ports.
if anyone has any advice, I would appreciate that,
cheers
Johann
- --
Johann Kwiatkowski
Spot The Dog Graphics
ph: (07) 33233677
fax: (07) 33233677
mobile: 0418 797 419
web: www.spot-the-dog.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Netscape - http://enigmail.mozdev.org
iD8DBQE9/QjugD9jJZkMANcRAtsIAJ9eLvJC8vtkF9jAHqxn4Goy1KyL8QCdH5Hb
stL9EIbl/Jo/xR3eluQlr5E=
=AxUT
-----END PGP SIGNATURE-----
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'. See http://www.humbug.org.au/
More information about the General
mailing list