HELP I think i got hacked
I have RH9 server. When I nmap remote I get:
(The 1635 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 143/tcp open imap2 537/tcp filtered nmsp 613/tcp filtered unknown 3306/tcp open mysql 5978/tcp filtered ncd-diag-tcp but when i nmap local on my server i get : (The 1594 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 143/tcp open imap2 953/tcp open rndc 3306/tcp open mysql how can I figure out what happened ? what are those filtered ports ? |
Scanning yourself locally is not as effective as scanning remotely. If you want to see what programs are running on the specific ports you can type "netstat -nlp". That should help get you started.
|
Don't worry about it. Filtered just means that you're firewall is blocking those ports. If you scan yourself locally, you're scanning through loopback and the firewall never plays a part. When you scan remotly is when you'll get the real results.
While we're on this are all those open ports necessary? Do you have to run your own DNS server and imap2 server? If not you should look into closing those off. Also, think about firewalling off mysql, it won't hurt the server if you're using localhost as the servername on whatever scripts are using it. Just a few thoughts |
yes all the services are needed... i'm talking about the filtreded services. I know nothing about them...
thank you for taking interest |
Okay, well, Filtered services are not necessarly running on your computer. It just how it is returned from the firewall. The firewall intercepts the packets before they get to the application. For example you may not have anything running of port 613, but since the firewall ruleset has it filtered you're going to get that result.
If you're really worried about it do netstat -apn and look for any program listening on those filtered ports. Hope that helps. |
Just a quick note.
If you think you were hacked it is probably not a good idea to rely on the netstat command to tell you what ports are open/closed. stick to port scans because it is possible to change the progs like netstat so they don't show the processes/open ports the hacker is actually using. |
All times are GMT -5. The time now is 12:46 AM. |