Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've run chkrootkit from a live cd, and rkhunter, clamav, f-prot, and bitdefender, nothing's unusual.
All the definitions were up to date.
I'm wondering if its possible that my router got hacked. I'm not sure this is even possible, but it's acting weird. Tried reflashing its firmware, didn't fix it.
that sever has some nice ports open:
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
80/tcp open http
110/tcp open pop3
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1720/tcp filtered H.323/Q.931
THe interesting port open from that site you gave is the tcp 593 port...that's for CIS which is for tunnelling...get your ip addy and use nmap and see what you've got open on your side...might give you clues on what to look for
How "randomly". Describe it more clear, please, and which browsers you use. What URLs are you trying to visit, is there an URL which causes that all the time?
To be sure about router, scan it's ports from outside, if possible.
You can also try using different DNS server, say, google's ones.
2 MrChilly0: you see 135,139,445 etc as filtered. Probably they are blocked by your ISP(it's a common case), most ISPs block outgoing packets to those ports.
--upd: www.xn--51haaaaaaa.com not resolving here.
Last edited by Web31337; 01-26-2010 at 12:34 AM.
Reason: i can't find that server.
You know it can be back again, what would you do in that case?
From here it looks like DNS cache been poisoned but it's a guess. So you may wish to try using different DNS servers in case that will happen again. Say, google's ones, or local. I suppose you use your ISPs DNS. I personally use the one I run on the router and since I moved to it, I also have no troubles with regular work, our ISP's DNS is quite buggy, and perhaps our ISP is not the only one having this problem.
BTW, Iceweasel==Firefox if you didn't know
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.