LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-20-2004, 02:50 PM   #1
spank
Member
 
Registered: Aug 2003
Location: Romania
Distribution: Ubuntu 6.06
Posts: 278

Rep: Reputation: 30
HELP I think i got hacked


I have RH9 server. When I nmap remote I get:
(The 1635 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
143/tcp open imap2
537/tcp filtered nmsp
613/tcp filtered unknown
3306/tcp open mysql
5978/tcp filtered ncd-diag-tcp

but when i nmap local on my server i get :
(The 1594 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
143/tcp open imap2
953/tcp open rndc
3306/tcp open mysql

how can I figure out what happened ? what are those filtered ports ?
 
Old 02-20-2004, 03:25 PM   #2
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
Scanning yourself locally is not as effective as scanning remotely. If you want to see what programs are running on the specific ports you can type "netstat -nlp". That should help get you started.
 
Old 02-20-2004, 03:46 PM   #3
Khabi
Member
 
Registered: Aug 2003
Location: Arizona
Distribution: Gentoo
Posts: 142

Rep: Reputation: 15
Don't worry about it. Filtered just means that you're firewall is blocking those ports. If you scan yourself locally, you're scanning through loopback and the firewall never plays a part. When you scan remotly is when you'll get the real results.

While we're on this are all those open ports necessary? Do you have to run your own DNS server and imap2 server? If not you should look into closing those off. Also, think about firewalling off mysql, it won't hurt the server if you're using localhost as the servername on whatever scripts are using it.

Just a few thoughts
 
Old 02-22-2004, 10:39 AM   #4
spank
Member
 
Registered: Aug 2003
Location: Romania
Distribution: Ubuntu 6.06
Posts: 278

Original Poster
Rep: Reputation: 30
yes all the services are needed... i'm talking about the filtreded services. I know nothing about them...
thank you for taking interest
 
Old 02-23-2004, 02:57 PM   #5
Khabi
Member
 
Registered: Aug 2003
Location: Arizona
Distribution: Gentoo
Posts: 142

Rep: Reputation: 15
Okay, well, Filtered services are not necessarly running on your computer. It just how it is returned from the firewall. The firewall intercepts the packets before they get to the application. For example you may not have anything running of port 613, but since the firewall ruleset has it filtered you're going to get that result.
If you're really worried about it do netstat -apn and look for any program listening on those filtered ports.

Hope that helps.
 
Old 03-24-2004, 09:59 AM   #6
skunkburner
Member
 
Registered: Mar 2004
Distribution: Fedora Core 17 & 18, Debian Wheezy
Posts: 137

Rep: Reputation: 16
Just a quick note.
If you think you were hacked it is probably not a good idea to rely on the netstat command to tell you what ports are open/closed. stick to port scans because it is possible to change the progs like netstat so they don't show the processes/open ports the hacker is actually using.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Have I been hacked? Please help linuxboy69 Linux - Security 11 09-07-2005 08:20 AM
Hacked? mikeshn Linux - Security 2 03-12-2004 02:57 PM
Help! Have I been hacked? Tenover Linux - Security 1 11-19-2003 04:24 PM
Did we just get hacked? vous Linux - Security 4 11-17-2003 09:11 AM
am i being hacked? tearinox Linux - Security 5 11-13-2003 07:00 PM


All times are GMT -5. The time now is 01:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration