On 05/11/2010 10:28 PM, Grant wrote:
I nmap'ed one of my remote Gentoo servers today and besides the
expected open ports were these:
1080/tcp open socks
3128/tcp open squid-http
8080/tcp open http-proxy
I'm not running any sort of proxy software that I know of and I should
be the only person whatsoever with access to the machine. 'netstat
-l' doesn't show any info on those ports at all so I suppose it's been
hacked as well? I installed and ran 'rkhunter --check' (what happened
to the chrootkit ebuild?) but it doesn't seem to be much use since I
hadn't established a "file of stored file properties".
What do you guys think is going on? What should I do from here?
What does lsof (I'd reinstall it afresh) show with regards to strange
users?
What users the above services run under. If indeed they are not
legitimate
and you confirm that they are not being run as packages that you
installed,
then I'm afraid the only sane option is to reinstall.
Wow. I'm actually seeing the same thing from other domains I nmap.
Could my ISP have some kind of a weird environment set up that makes
it look like there are ports such as these open on remote systems?
Right now I'm on some kind of a shared connection where everyone has
their own modem or router or whatever it is, but I think everyone's IP
is the same.
- Grant
Hello,
looks like, your ISP has a Transparent Proxy Setup running.
Should I be worried about that?
"Your ISP" in this case means the ISP of your home, not the server's.
That means you will see these ports apparently open for every
IP/hostname you try.
