//moderator.note: Chort, unfortunately it is a fact I have to caution you once more to not let emotions cloud your conduct. Please be respectful towards your fellow LQ members.
Like I said in the "Crack my system" thread, I welcome anyone who wants to help out educating people in a positive and responsable way. Please show us that being a professional also means giving advice in a calm, responsable, mature and respectful manner.


*I ask you to refrain from referencing to or commenting on my moderation actions inside this thread or any other thread. If you want to debate or question my moderation capabilities, style or actions, you're invited to take it up with me by email.

Thankyou eveyone for your replies...

I will try and clarify the problem, because the more I think about it the stranger it seems.

When scanning my server from my work isp (different isp to my server), I get the above mentioned ports showing as open, as well as my legitimate ports that are open. All I run now, some weeks after the first posting in this thread, is httpd, postfix, pop3 and mysql. After careful examination of all my logs including firestorm logs, I cannot seem to see any evidence my server was actually compromised, then again I am no expert.

Whilst at work I scanned my servers ip address AAA.BBB.CCC.DDD with nmap. The following ports showed up as open;

80
110
25
(??) whatever mysql port is
135 filtered loc-svr ?????
4444 KRB ????
12345 Netbus ?????????
12346 Netbus ?????????
31337 Elite ?????????

I then tried scanning other computers in the (sub-network???) i.e. AAA.BBB.CCC.***, still from my work isp connection. I first did a ping sweep of (eg nmap -sP AAA.BBB.CCC.*, then I nmapped any active comp I found within the specified range. I found maybe 20 comps active eg. AAA.BBB.CCC.6, AAA.BBB.CCC.12 etc....

Upon nmapping all of these active ip addresses, all of them were displaying the same open ports, as well as expected legitimate ports, such as port 80...

I tried to contact my isp, but the typical "customer service" people told me there was probably something wrong with the comp I was scanning from (Slackware 9... never had any probs. so far), or my server must have a problem. Despite the fact that other comps in their network, in other words other customers, had these same ports showing up as open. Eventually they told me to email through the details so they could give them to a tech, and I never got a reply... Very strange I thought.

I scanned random computers from my work ISP connection, and none of the strange ports showed up on any other scan. Only the expected ports showed up, like for example port 80 and 25.

I have tried netstat -taup, lsof -i, hours watching (and learning from) ethereal, but I cannot seem to see any evidence whatsoever that these strange ports are open on my comp.

When I rang them they said they do not block or mask any ports at all.

I therefore conclude, with all my newbie knowledge, that it has to be a problem with my server isp and not my server itself.

Any ideas all you experts out there??

Thanks in advance

Lucas

Visit http://www.linuxexposed.com/modules....&mode=&order=0

for some nice tips and links to hardening your boxes )

Try scanning the potentially compromised box from another OS besides the Slackware 9 system that you have. Or reinstall your Slack and try it from there. Also scan the box via pcflank.com. Their advanced port scanner is a great tool for checking your open ports. md5sum all of the important system files and binaries, (netstat, ps, lsof, etc.), on the suspicious box and compare those checksums against the md5s of the same distro installed on another machine. And for god's sake take that server off the net! Even waiting to do a web-based port scan via pcflank is more uptime than I would let a compromised box have, although since you first posted this thread over a month ago... so I guess a few more days won't matter too much. You could be serving up all kinds of things at the moment that you do not want to be serving. A port scan that reveals that 12345 and 31337 are open is a sure sign that something is wrong, and the odds that your scanner is giving you false info is slim. Do some forensics and then reinstall your OS and secure the damn thing next time.

First, let me further clearify: I made several points about this post/issue, which were:[list=1][*]"Help! I'm being Hacked!" - is a pretty common saying around here, especially for new people that aren't familiar with logs, don't know what they are seeing when they see network traffic, or get a connection from "noplace" that is also a pretty common thing.[*]From my "firewall" posting: 'Practical, not fanactical.' [*]There is a chance this is not a "hack" attempt at all. Then again, maybe it is. Further study needs to take place.[/list=1]

To the person that originally posted this question: Sorry, I didn't mean for this to turn into a discussion on security theory. I'm sure you much rather just fix what's wrong. Something's not jiving, because port 12345 is an older version of netbus, which is Windows stuff, not linux.
Be aware, there is alot of Internet traffic that is random, just moving around like outer space is, connecting here and there. There are also some bullies out there, domains I've had trouble with, but I can't name them here in public for fear of the backlash if someone is a client of them, posting here, since several are ISP's known to not much care what their members do online in the way of hacking.
If you're getting hits on a port alot, go to Google, and put in the search box: "port 1234" or "port 1234 Linux" and you usually will see what is going on with that port; if it's a virus or trojan or whatever. Like right now, 1434 is getting hit alot on my server- it's most likely the MSSQL snake. Also, I like http://www.incidents.org to keep up on what's going around. Check it out. If you've been truely hacked, one of 2 things will happen:

1. They just look around, then split. No further trouble.
2. They are there to mess stuff up (less common, but happens), and soon enough you will know unmistakibly.

In response to the post:

No, I am not a security professional of any kind. But then again, most of the people that come here to ask questions are not either. But I highly resent my advice being labled as "bad security advice". What was it that was so incorrect?

Taking the machine off the network? - This is a straight CERT recommendation. Argue your point with them on that, I didn't make it up , they may have.

Gathering together and examining all logs?- Another common policy. How will you know what happened, if anything is happening, if you don't examine the logs?

I then recommanded the exact same products that have saved me many times over. I stand behind what I use. Like I said early, I'm up 24x7, running a large number of services, fully visible to anyone that reads the posts I referance my server in. (I don't post my address here because of the sheer number of users this site gets. Many times after I post a link, such as a https link, I get hits 4-5 minutes later, from far more people than I thought were reading what I wrote.) Not "rooted" yet. No trojans here.

Then I should think you would be much more knowlegable on this stuff then! So you had more money than I did to finish college. A better administrator that does not make! I know what I do thru hands-on exprience, from my time with Windows/DOS (much longer, 10 years now?) and now with Linux. Of course, anyone is free to belive and do as they choose. However, I must be doing something right, as, while many have tried, I have never been compromised- Linux, Windows, MS-DOS, or the Sun Sparc 2 (Unix) workstations I used in school.

<...yawn>

The vast majority of Linux distro's I've seen ALL come with NFS (which I''m sure you know, being a pro, is dependant on the RPC.Portmapper that you tell everyone who will listen to turn off.) Many networks still use NFS, and still rely on it. Indeed, it must've been important enough to be included with so many distro's. Are you saying your 'professional-ism' shadows by comparison the judgement of the people that choose to include it in their distrobutions?

Ahhh, experts. "Qualified".... A little story: Years ago, I called the Microsoft "Qualified Experts" with a problem, that I thought at the time, was far beyond me. They responded with text-book "qualified" answers and "expert" re-quotation of the on-line documentation. I had install, on their recommondation, a scanner driver that dead-locked everything execpt the rom-bios. They never did help, and I ended up fixing it myself. So much for the "qualified experts". It has been my finding, than many times, the ones that claim to be the experts & professionals are not near as knowlegable as the guy that has only his knowlege of his system, derived thru hands-on expirience, to fall back on.

Totally aggressive? Sure, I guess....but I wouldn't want them standing in the driveway, machine-gun drawn & screaming, ready to mow-down my daughter's friends from school because they weren't on some list ahead of time.

lol! That's great... I never thought of it like that. Is that what it shoulds like? Well, it's like this: The first time you saw "Gremlins", it scared the hell out of you, didn't it? But now it's just ho-hum....and funny puppets in green suits!

Forgot one thing.... You got Iptraf, right? Why don't you set that up some night, or whenever, let it run, and just log to /var/log/iptraf.log
Then, when the monkey - biz starts again, at least you will have something to show people. I do that sometimes when I think something may be up, that way you can track down problems, but don't have to be sitting right in front of the machine all the time.

-J

Lucastic,

Try scanning your machine from somewhere else. You can even use one of those free security scanners (just google for "free port scanner"). That should give us an idea as to whether the problem is with the scanner or if those ports are truly open (or at least appear open).

It's highly doubtful that all the computers on your subnet (AAA.BBB.CCC.***) all have the same combination of ports open, so that looks like a clue to me.

If you've taken the machine offline, you can even try connecting another box to it via a crossover cable and try nmaping it from there (that should take any ISP quirks out of the equation).

Hey! Wow you guys get pretty mad , but who knows , did you by any chance install PortSentry because when i do a scan on my system it says the same thing and im running Redhat9.0.93 wich is the beta realse. But thats the point of the program to give bogus info and add a deny tab on that ip. But maybe its just misconfigured. Who knows , grab a copy of hacking linux exposed and dig in. That the best part bout linux cause the only thing you can do in a situation like this is learn something new.

Thanks Darkseed thats the first really good clue I have got...

I did a free online scan from the following website scan.sygate.com. When I did a trojan scan ports 25, 80, and 110 came up as open, with possible trojans on those ports listed alongside, but no other ports showed up as open. However, when I did a udp scan ports 12345 and 31337 showed up as open, as well as 25,80 and 110?

I then went for a second opinion at www.auditmypc.com, and got no results when doing the normal port scan but when I UDP port scan I got the following (you can only scan one UDP port at a time on www.auditmypc.com):

"We scanned UDP port 12345 and found the port to be Unavailable or Filtered"

"We scanned UDP port 31337 and found the port to be Unavailable or Filtered"

I scanned a random port to make sure the UDP scan was spitting out the same answer for every port and got the following:

"We scanned UDP port 31505 and found the port to be not Listening"

So, it seems something is definately happening on UDP ports 12345 and 31337...

When I did a UDP scan from nmap so something like "nmap -sU -P0 -vv www.mydomain.com"

I got port 666 open and reported as running the service doom???? When I type "netstat -aup" it says the program id is 10666 and the program is xinetd? When doing daily netstats I notice that the one open UDP port changes every week or couple of days now that I think about it. It is usually UDP port 768 that seems to be there. Should any UDP ports be open at all? What are they used for?

What should I do next??

"We scanned UDP port 12345 and found the port to be Unavailable or Filtered"
Stop network scanning. By now you should see it's results are not void of interpretation and won't tell you what is really happening. "Unavailable or Filtered" just means nmap can't make nuttin out of it due to a|any network device between you and the target having traffic being filtered by a firewall. With interpretation I mean is nmap doesn't go beyond looking up port numbers in it's own table (similar to /etc/services but larger). It's no problem running a regular service on say port TCP/12345 and having it recognized as something else if you don't check the actual response.


What should I do next??
Audit your router locally. A lot of advice about this is has already been given, please reread this thread. If you want it as an easy digestable ten step list, or want to clear up listed items before commencing, just say so.

Sheesh!! Dont worry I will look elsewhere!!

Just wanted some clues!