On Tue, May 11, 2010 at 1:54 AM, Grant <emailgr...@gmail.com> wrote: >>> I nmap'ed one of my remote Gentoo servers today and besides the >>> expected open ports were these: >>> >>> 1080/tcp open socks >>> 3128/tcp open squid-http >>> 8080/tcp open http-proxy >>> >>> I'm not running any sort of proxy software that I know of and I should >>> be the only person whatsoever with access to the machine. 'netstat >>> -l' doesn't show any info on those ports at all so I suppose it's been >>> hacked as well? I installed and ran 'rkhunter --check' (what happened >>> to the chrootkit ebuild?) but it doesn't seem to be much use since I >>> hadn't established a "file of stored file properties". >>> >>> What do you guys think is going on? What should I do from here? >> >> What does lsof (I'd reinstall it afresh) show with regards to strange users? >> What users the above services run under. If indeed they are not legitimate >> and you confirm that they are not being run as packages that you installed, >> then I'm afraid the only sane option is to reinstall. > > Wow. I'm actually seeing the same thing from other domains I nmap. > Could my ISP have some kind of a weird environment set up that makes > it look like there are ports such as these open on remote systems? > Right now I'm on some kind of a shared connection where everyone has > their own modem or router or whatever it is, but I think everyone's IP > is the same.
Like Norman suggested, sounds like maybe your ISP or local IT staff are playing man-in-the-middle. Try running the Netalyzer (warning: java) maybe it can tell you about it. http://netalyzr.icsi.berkeley.edu/ Otherwise, I would try to nmap your server from a different internet connection when possible. Hopefully you won't see those ports open on your server. Hopefully. :) I think nmap is typically not recommended to be run from behind router/NAT because the results are not necessarily true.
