On Mon, 2009-06-08 at 16:23 +0800, Rod James Bio wrote: > Hi, I've been wondering about my friends case. Seems that when he > nmapped his machine port 21 is open, but there is no ftp daemon > installed. He tried > "lsof -i :21" > but it did not return anything. He also tried > "netstat -an | grep 21" > also nothing. > So he asked other people and they told him that his machine was hacked. > The lsof and netstat was modified. The port 21 was a backdoor placed by > the hacker. Now I am not really contented with this answers. Any > suggestions?
I wouldn't discount that possibility, but 2 thoughts come to mind: netstat -lnpt (as root) will give far less redundant info - just what is listening on tcp ports, including process names - so it's easier to search through. Was the nmap run directly on hte same network as the machine in question? Not through a router, cable modem, or other device that could have been getting in the way? Oh, and some others .. Perhaps running tcpdump on the machine while connecting to it (with nmap or whatever) will show whether the traffic is actually getting to the machine? Oh - and you could try copying on a netstat and/or lsof binary, from another machine (of the same architecture). Richard -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
