| View previous topic :: View next topic |
| Author |
Message |
thaldyron
Apprentice
Joined: 25 Sep 2002
Posts: 227
Location: On Earth
|
 Posted: Sat Feb 12, 2005 12:26 pm Post subject: Did I get hacked? [Solved - No I didn't] |
 |
|
Just for the fun of it I portscanned my gateway at home and the result was quite strange since the only ports with running services should be 22 and 81:
| Code: |
>> nmap 192.168.0.1
Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-02-12 13:06 CET
Interesting ports on 192.168.0.1:
(The 1594 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
7/tcp filtered echo
11/tcp filtered systat
22/tcp open ssh
41/tcp filtered graphics
57/tcp filtered priv-term
81/tcp open hosts2-ns
83/tcp filtered mit-ml-dev
104/tcp filtered acr-nema
125/tcp filtered locus-map
129/tcp filtered pwdgen
134/tcp filtered ingres-net
174/tcp filtered mailq
210/tcp filtered z39.50
227/tcp filtered unknown
254/tcp filtered unknown
283/tcp filtered unknown
335/tcp filtered unknown
338/tcp filtered unknown
343/tcp filtered unknown
396/tcp filtered netware-ip
448/tcp filtered ddm-ssl
466/tcp filtered digital-vrc
484/tcp filtered integra-sme
494/tcp filtered pov-ray
514/tcp filtered shell
517/tcp filtered talk
545/tcp filtered ekshell
559/tcp filtered teedtap
592/tcp filtered eudora-set
664/tcp filtered unknown
684/tcp filtered unknown
728/tcp filtered unknown
753/tcp filtered rrh
754/tcp filtered krb_prop
758/tcp filtered nlogin
780/tcp filtered wpgs
790/tcp filtered unknown
859/tcp filtered unknown
874/tcp filtered unknown
884/tcp filtered unknown
885/tcp filtered unknown
1014/tcp filtered unknown
1109/tcp filtered kpop
1358/tcp filtered connlcli
1359/tcp filtered ftsrv
1434/tcp filtered ms-sql-m
1442/tcp filtered cadis-2
1472/tcp filtered csdm
1489/tcp filtered dmdocbroker
1538/tcp filtered 3ds-lm
1664/tcp filtered netview-aix-4
1995/tcp filtered perf-port
2017/tcp filtered cypress-stat
2112/tcp filtered kip
3264/tcp filtered ccmail
4559/tcp filtered hylafax
5191/tcp filtered aol-1
5304/tcp filtered hacl-local
5540/tcp filtered sdreport
5977/tcp filtered ncd-pref-tcp
6000/tcp filtered X11
6143/tcp filtered watershed-lm
6346/tcp filtered gnutella
6558/tcp filtered xdsxdm
7201/tcp filtered dlip
7597/tcp filtered qaz
10005/tcp filtered stel
13718/tcp filtered VeritasNetbackup
32786/tcp filtered sometimes-rpc25
|
5 minutes later I repeated the same scan and got the normal output:
| Code: |
>> nmap 192.168.0.1
Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-02-12 13:10 CET
Interesting ports on 192.168.0.1:
(The 1661 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
81/tcp open hosts2-ns
Nmap run completed -- 1 IP address (1 host up) scanned in 0.220 seconds
|
I was running the latest stable version of SSH and Apache and Chkrootkit didn't find anything.
What should I do now?
Last edited by thaldyron on Sat Feb 12, 2005 6:39 pm; edited 3 times in total |
|
| Back to top |
|
 |
z4Rilla
Apprentice
Joined: 22 Dec 2003
Posts: 291
Location: EU
|
| Posted: Sat Feb 12, 2005 1:21 pm Post subject: |
|
|
| check if xinetd or inetd are/were running ! |
|
| Back to top |
|
|
gurke
Apprentice
Joined: 10 Jul 2003
Posts: 260
|
| Posted: Sat Feb 12, 2005 2:37 pm Post subject: |
|
|
| do you have port-forwarding enabled? |
|
| Back to top |
|
|
thaldyron
Apprentice
Joined: 25 Sep 2002
Posts: 227
Location: On Earth
|
| Posted: Sat Feb 12, 2005 3:34 pm Post subject: |
|
|
| gurke wrote: | | do you have port-forwarding enabled? |
Yes
| z4Rilla wrote: | | check if xinetd or inetd are/were running ! |
No xinetd nor inetd.
/var/log/messages doesn't have any anomalies except the daily SSH-password-tryout attempts. |
|
| Back to top |
|
|
gurke
Apprentice
Joined: 10 Jul 2003
Posts: 260
|
|
| Back to top |
|
|
thaldyron
Apprentice
Joined: 25 Sep 2002
Posts: 227
Location: On Earth
|
| Posted: Sat Feb 12, 2005 4:36 pm Post subject: |
|
|
Thanks,
from the URL:
| Quote: |
Filtered means that a firewall, filter, or other network obstacle is covering the port and preventing nmap from determining whether the port is open.
|
Ok, I thought "filtered" means there's a service running on that port for sure but is protected by the firewall...
Seems like I got nothing to worry then. 
One question remains though, I was scanning from within the LAN and the firewall does only filter the ppp0 interface, is it still possible that nmap couldn't determine the actual state of those ports? |
|
| Back to top |
|
|
Chaosite
Guru
Joined: 13 Dec 2003
Posts: 540
Location: Right over here.
|
| Posted: Sat Feb 12, 2005 4:51 pm Post subject: |
|
|
| Sounds like nmap being paranoid. You're fine, don't worry. |
|
| Back to top |
|
|
|
Networking & Security
