I have RH9 server. When I nmap remote I get:
(The 1635 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
143/tcp open imap2
537/tcp filtered nmsp
613/tcp filtered unknown
3306/tcp open mysql
5978/tcp filtered ncd-diag-tcp

but when i nmap local on my server i get :
(The 1594 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
143/tcp open imap2
953/tcp open rndc
3306/tcp open mysql

how can I figure out what happened ? what are those filtered ports ?

Scanning yourself locally is not as effective as scanning remotely. If you want to see what programs are running on the specific ports you can type "netstat -nlp". That should help get you started.

Don't worry about it. Filtered just means that you're firewall is blocking those ports. If you scan yourself locally, you're scanning through loopback and the firewall never plays a part. When you scan remotly is when you'll get the real results.

While we're on this are all those open ports necessary? Do you have to run your own DNS server and imap2 server? If not you should look into closing those off. Also, think about firewalling off mysql, it won't hurt the server if you're using localhost as the servername on whatever scripts are using it.

Just a few thoughts

yes all the services are needed... i'm talking about the filtreded services. I know nothing about them...
thank you for taking interest

Okay, well, Filtered services are not necessarly running on your computer. It just how it is returned from the firewall. The firewall intercepts the packets before they get to the application. For example you may not have anything running of port 613, but since the firewall ruleset has it filtered you're going to get that result.
If you're really worried about it do netstat -apn and look for any program listening on those filtered ports.

Hope that helps.

Just a quick note.
If you think you were hacked it is probably not a good idea to rely on the netstat command to tell you what ports are open/closed. stick to port scans because it is possible to change the progs like netstat so they don't show the processes/open ports the hacker is actually using.