| View previous topic :: View next topic |
| Author |
Message |
nadamsieee
Guru
Joined: 30 May 2003
Posts: 340
Location: Atlanta, GA, USA
|
 Posted: Tue Feb 03, 2004 12:29 am Post subject: hacked? |
 |
|
A friend, who is a Gentoo newbie, complained today that his KDE and cable modem were suddenly very slow. I decided to nmap his computer and this is the output:
| Code: | Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-02-02 19:23 EST
Interesting ports on x.x.x.x:
(The 1648 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
4444/tcp filtered krb524
Nmap run completed -- 1 IP address (1 host up) scanned in 33.323 seconds |
When I run nmap on my machine, all ports are closed as expected. Does any of the above look like he has been hacked?
Thanks!
_________________
nadams (at) ieee (dot) org |
|
| Back to top |
|
 |
imsdunn
n00b
Joined: 06 Sep 2003
Posts: 19
|
| Posted: Tue Feb 03, 2004 12:40 am Post subject: |
|
|
More information
| Code: | # netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 1 0 ::ffff:x.x.x:32773 ::ffff:128.193.0.38:www CLOSE_WAIT
tcp 1 0 ::ffff:x.x.x:32774 ::ffff:128.193.0.38:www CLOSE_WAIT
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 4 [ ] DGRAM 1799 /dev/log
unix 3 [ ] STREAM CONNECTED 5170 /tmp/.esd/socket
unix 3 [ ] STREAM CONNECTED 5169
unix 2 [ ] STREAM 5166
unix 2 [ ] STREAM CONNECTED 5148
unix 2 [ ] STREAM CONNECTED 5140
unix 3 [ ] STREAM CONNECTED 5118 /tmp/.ICE-unix/dcop2958-1075846847
unix 3 [ ] STREAM CONNECTED 5117
unix 3 [ ] STREAM CONNECTED 5109 /tmp/.ICE-unix/3014
unix 3 [ ] STREAM CONNECTED 5108
unix 3 [ ] STREAM CONNECTED 5107 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 5106
unix 3 [ ] STREAM CONNECTED 5080 /tmp/.ICE-unix/3014
unix 3 [ ] STREAM CONNECTED 5079
unix 3 [ ] STREAM CONNECTED 5076 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 5075
unix 3 [ ] STREAM CONNECTED 5072 /tmp/.ICE-unix/dcop2958-1075846847
unix 3 [ ] STREAM CONNECTED 5071
unix 3 [ ] STREAM CONNECTED 5051 /home/sean/.kde3.1/socket-earl/klauncherat5Rma.slave-socket
unix 3 [ ] STREAM CONNECTED 5050
unix 3 [ ] STREAM CONNECTED 5026 /tmp/.ICE-unix/3014
unix 3 [ ] STREAM CONNECTED 5017
unix 3 [ ] STREAM CONNECTED 5014 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 5013
unix 3 [ ] STREAM CONNECTED 5012 /tmp/.ICE-unix/dcop2958-1075846847
unix 3 [ ] STREAM CONNECTED 5011
unix 3 [ ] STREAM CONNECTED 4980 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 4979
unix 3 [ ] STREAM CONNECTED 4624 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 4623
unix 3 [ ] STREAM CONNECTED 4991 /tmp/.ICE-unix/3014
unix 3 [ ] STREAM CONNECTED 4612
unix 3 [ ] STREAM CONNECTED 4608 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 4607
unix 3 [ ] STREAM CONNECTED 4606 /tmp/.ICE-unix/dcop2958-1075846847
unix 3 [ ] STREAM CONNECTED 4605
unix 3 [ ] STREAM CONNECTED 4568 /tmp/.ICE-unix/3014
unix 3 [ ] STREAM CONNECTED 4559
unix 3 [ ] STREAM CONNECTED 4556 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 4555
unix 3 [ ] STREAM CONNECTED 4554 /tmp/.ICE-unix/dcop2958-1075846847
unix 3 [ ] STREAM CONNECTED 4553
unix 3 [ ] STREAM CONNECTED 4565 /tmp/.ICE-unix/3014
unix 3 [ ] STREAM CONNECTED 4551
unix 3 [ ] STREAM CONNECTED 4548 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 4547
unix 3 [ ] STREAM CONNECTED 4546 /tmp/.ICE-unix/dcop2958-1075846847
unix 3 [ ] STREAM CONNECTED 4545
unix 3 [ ] STREAM CONNECTED 4563 /tmp/.ICE-unix/3014
unix 3 [ ] STREAM CONNECTED 4543
unix 3 [ ] STREAM CONNECTED 4540 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 4539
unix 3 [ ] STREAM CONNECTED 4538 /tmp/.ICE-unix/dcop2958-1075846847
unix 3 [ ] STREAM CONNECTED 4537
unix 3 [ ] STREAM CONNECTED 4533 /tmp/.ICE-unix/3014
unix 3 [ ] STREAM CONNECTED 4532
unix 3 [ ] STREAM CONNECTED 4526 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 4525
unix 3 [ ] STREAM CONNECTED 4524 /tmp/.ICE-unix/dcop2958-1075846847
unix 3 [ ] STREAM CONNECTED 4523
unix 3 [ ] STREAM CONNECTED 4497 /tmp/.ICE-unix/3014
unix 3 [ ] STREAM CONNECTED 4496
unix 3 [ ] STREAM CONNECTED 4489 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 4488
unix 3 [ ] STREAM CONNECTED 4487 /tmp/.ICE-unix/dcop2958-1075846847
unix 3 [ ] STREAM CONNECTED 4486
unix 3 [ ] STREAM CONNECTED 4469 /tmp/.ICE-unix/3014
unix 3 [ ] STREAM CONNECTED 4468
unix 3 [ ] STREAM CONNECTED 4465 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 4464
unix 3 [ ] STREAM CONNECTED 4463 /tmp/.ICE-unix/dcop2958-1075846847
unix 3 [ ] STREAM CONNECTED 4462
unix 3 [ ] STREAM CONNECTED 4456 /tmp/.ICE-unix/dcop2958-1075846847
unix 3 [ ] STREAM CONNECTED 4455
unix 3 [ ] STREAM CONNECTED 4450 /tmp/.ICE-unix/3014
unix 3 [ ] STREAM CONNECTED 4449
unix 3 [ ] STREAM CONNECTED 4448 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 4447
unix 3 [ ] STREAM CONNECTED 4442 /tmp/.ICE-unix/dcop2958-1075846847
unix 3 [ ] STREAM CONNECTED 4441
unix 3 [ ] STREAM CONNECTED 4438 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 4437
unix 3 [ ] STREAM CONNECTED 4431 /home/sean/.kde3.1/socket-earl/kdeinit-:0
unix 3 [ ] STREAM CONNECTED 4430
unix 3 [ ] STREAM CONNECTED 4417 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 4416
unix 3 [ ] STREAM CONNECTED 4415 /tmp/.ICE-unix/dcop2958-1075846847
unix 3 [ ] STREAM CONNECTED 4414
unix 3 [ ] STREAM CONNECTED 4362 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 4361
unix 3 [ ] STREAM CONNECTED 4320 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 4319
unix 3 [ ] STREAM CONNECTED 4318 /tmp/.ICE-unix/dcop2958-1075846847
unix 3 [ ] STREAM CONNECTED 4317
unix 3 [ ] STREAM CONNECTED 4305 /tmp/.ICE-unix/dcop2958-1075846847
unix 3 [ ] STREAM CONNECTED 4304
unix 3 [ ] STREAM CONNECTED 4299
unix 3 [ ] STREAM CONNECTED 4298
unix 3 [ ] STREAM CONNECTED 4010 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 3975
unix 2 [ ] DGRAM 3961
unix 2 [ ] DGRAM 3598
|
Please help! I am a newbie and do not know what all of this means.
_________________
---------------------
s.dunn |
|
| Back to top |
|
|
imsdunn
n00b
Joined: 06 Sep 2003
Posts: 19
|
| Posted: Tue Feb 03, 2004 12:52 am Post subject: |
|
|
Here is some more info that might help. I ran chkrootkit
| Code: | # chkrootkit
ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not found
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... not infected
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not found
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... not infected
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not found
Checking `mail'... not found
Checking `mingetty'... not found
Checking `netstat'... not infected
Checking `named'... not found
Checking `passwd'... not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not infected
Checking `rpcinfo'... not infected
Checking `rlogind'... not found
Checking `rshd'... not found
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not tested
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not found
Checking `timed'... not found
Checking `traceroute'... not found
Checking `vdir'... not found
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... no suspect files
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... nothing found
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... nothing found
Searching for suspicious files and dirs, it may take a while...
/usr/lib/.keep /usr/lib/perl5/5.8.0/i686-linux/.packlist /usr/lib/perl5/site_perl/5.8.0/i686-linux/auto/Gtk/Gdk/Pixbuf/.packlist /usr/lib/perl5/site_perl/5.8.0/i686-linux/auto/Gtk/Gdk/ImlibImage/.packlist /usr/lib/perl5/site_perl/5.8.0/i686-linux/auto/Gtk/base/.packlist /usr/lib/perl5/site_perl/5.8.0/i686-linux/auto/Gtk/XmHTML/.packlist /usr/lib/perl5/site_perl/5.8.0/i686-linux/auto/Gimp/.packlist /usr/lib/locale/ru_RU/LC_MESSAGES/.keep /usr/lib/nsbrowser/plugins/.keep /lib/.keep /lib/dev-state/.keep
Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ShitC Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... nothing found
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... nothing found
Searching for Suckit rootkit ... nothing found
Searching for Volc rootkit ... nothing found
Searching for Gold2 rootkit ... nothing found
Searching for TC2 Worm default files and dirs... nothing found
Searching for Anonoying rootkit default files and dirs... nothing found
Searching for ZK rootkit default files and dirs... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... Checking `rexedcs'... not found
Checking `sniffer'...
eth0 is not promisc
Checking `wted'... 2 deletion(s) between Thu Oct 9 21:49:31 2003 and Thu Oct 9 17:55:09 2003
nothing deleted
Checking `w55808'... not infected
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'...
nothing deleted
|
_________________
---------------------
s.dunn |
|
| Back to top |
|
|
pakman
Tux's lil' helper
Joined: 06 Jan 2004
Posts: 100
|
| Posted: Tue Feb 03, 2004 1:24 am Post subject: |
|
|
Those filtered ports could be due to the ISP blocking them, quite likely at the moment to limit worms spreading via the windows fileshares (on the 135-139 ones). Was the scan done at a different time to that netstat output, because ssh doesn't show up on the netstat but does on the scan, which is possibly worrying. It could indicate the netstat has been trojaned, or that ssh was stopped between the two.
btw: probably best to nmap -p 1-65535 <ip> to make sure it scans all ports, default is to skip quite a few...any hacker activity is likely to be on a high port that nmap misses on its default scan. Notice this bit:
| Code: | | (The 1648 ports scanned but not shown below are in state: closed) |
theres 65536 (2^16) odd ports available  |
|
| Back to top |
|
|
nadamsieee
Guru
Joined: 30 May 2003
Posts: 340
Location: Atlanta, GA, USA
|
| Posted: Tue Feb 03, 2004 2:10 am Post subject: |
|
|
| pakman wrote: | | Those filtered ports could be due to the ISP blocking them, quite likely at the moment to limit worms spreading via the windows fileshares (on the 135-139 ones). |
Duh. Thanks for smacking me with the obvious stick. 
| pakman wrote: | | Was the scan done at a different time to that netstat output, because ssh doesn't show up on the netstat but does on the scan, which is possibly worrying. It could indicate the netstat has been trojaned, or that ssh was stopped between the two. |
The nmap scan and the netstat dump were done within minutes of each other while I was on the phone with imsdunn. I'm 99.9% sure he didn't shutdown ssh at any point in time.
| pakman wrote: | btw: probably best to nmap -p 1-65535 <ip> to make sure it scans all ports, default is to skip quite a few...any hacker activity is likely to be on a high port that nmap misses on its default scan. Notice this bit:
| Code: | | (The 1648 ports scanned but not shown below are in state: closed) |
theres 65536 (2^16) odd ports available |
Thanks again; I wasn't aware of nmap's default behaviour. I will scan again and post anything interesting.
_________________
nadams (at) ieee (dot) org |
|
| Back to top |
|
|
nadamsieee
Guru
Joined: 30 May 2003
Posts: 340
Location: Atlanta, GA, USA
|
| Posted: Mon Feb 09, 2004 1:10 am Post subject: |
|
|
I rescanned Sean's computer tonight:
| Code: | # nmap -p 1-65535 x.x.x.x
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-02-08 19:57 EST
Interesting ports on hostname (x.x.x.x):
(The 65526 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
4444/tcp filtered krb524
Nmap run completed -- 1 IP address (1 host up) scanned in 486.653 seconds |
Does anyone have any other ideas why his computer would have been slow? He said it is running normally tonight. Flakey hard drive maybe?
_________________
nadams (at) ieee (dot) org |
|
| Back to top |
|
|
D. M. P. inc
Apprentice
Joined: 29 Sep 2003
Posts: 228
Location: /home/dmpinc
|
| Posted: Mon Feb 09, 2004 3:14 am Post subject: |
|
|
a few reasons computers and ineternet is slow
computer been up for a while. didnt reboot cable for a while too (sometimes when isp update there server, the cable box try to update but there is conflicts. try rebooting everything coz this is the basic problem.
_________________
Live And Learn. |
|
| Back to top |
|
|
zeky
Guru
Joined: 24 Feb 2003
Posts: 470
Location: Vukojebina, Europe
|
| Posted: Mon Feb 09, 2004 9:10 am Post subject: |
|
|
If nmap says port is filtered it means that something is blocking it on the way (and that way would be from your PC where you run nmap thrue some or more ISPs to the destination PC that you're scanning). It doesn NOT necessery means that this port is opened and filtered on your box.
_________________
Beat your dick like it owes you money |
|
| Back to top |
|
|
ed0n
l33t
Joined: 23 Apr 2003
Posts: 638
Location: Prishtine/Kosove
|
| Posted: Mon Feb 09, 2004 9:40 am Post subject: |
|
|
If I will see that output of the nmap I will not say that somebody broked
on his box. If you want to know if somebody broked to your box
you need to be fast and always check the logs and backup your system. |
|
| Back to top |
|
|
converter
Apprentice
Joined: 24 Dec 2002
Posts: 163
|
| Posted: Mon Feb 09, 2004 3:34 pm Post subject: |
|
|
| Quote: | | A friend, who is a Gentoo newbie, complained today that his KDE and cable modem were suddenly very slow. I decided to nmap his computer and this is the output: |
If KDE is slow to start up, have your friend make sure he has the proper entry for the loopback interface in /etc/hosts:
127.0.0.1 localhost.localdomain localhost
I seem to recall that forcing KDE to go to a DNS server to do lookups for localhost at startup can cause severe slowdowns.
_________________
converter |
|
| Back to top |
|
|
imsdunn
n00b
Joined: 06 Sep 2003
Posts: 19
|
| Posted: Tue Feb 10, 2004 4:56 am Post subject: |
|
|
| Quote: | a few reasons computers and ineternet is slow
computer been up for a while. didnt reboot cable for a while too (sometimes when isp update there server, the cable box try to update but there is conflicts. try rebooting everything coz this is the basic problem.
|
Thanks for the input. I was discussing this last night with nadams. I sometimes switch the ethernet cable from this box to my laptop without powering down and resetting the cable modem.
| Quote: | If KDE is slow to start up, have your friend make sure he has the proper entry for the loopback interface in /etc/hosts:
127.0.0.1 localhost.localdomain localhost
I seem to recall that forcing KDE to go to a DNS server to do lookups for localhost at startup can cause severe slowdowns.
|
Thanks! I will try looking at this too!
_________________
---------------------
s.dunn |
|
| Back to top |
|
|
nadamsieee
Guru
Joined: 30 May 2003
Posts: 340
Location: Atlanta, GA, USA
|
| Posted: Thu Feb 12, 2004 2:18 am Post subject: |
|
|
imsdunn's machine failed to boot, and he is using fsck (on his Gentoo CD) to check the partitions as I type this. fsck has found several errors thus far. So chalk this one up to a bad hard drive.
Thanks again to everyone who helped!
_________________
nadams (at) ieee (dot) org |
|
| Back to top |
|
|
|
Networking & Security
