Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : have I been hacked? - need help

[md2001]

I received a warning from a visitor of my sites that there's an open security hole on the server along with this:

-----SNIP-----

# nmap -sS ---server's IP---

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on (---server's IP---):
(The 1491 ports scanned but not shown below are in state: closed)
Port State Service
1/tcp open tcpmux
11/tcp open systat
15/tcp open netstat
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
79/tcp open finger
80/tcp open http
98/tcp open linuxconf
110/tcp open pop-3
111/tcp open sunrpc
119/tcp open nntp
143/tcp open imap2
443/tcp open https
540/tcp open uucp
635/tcp open unknown
1080/tcp open socks
1524/tcp open ingreslock
2000/tcp open callbook
3306/tcp open mysql
6666/tcp open irc-serv
6667/tcp open irc
12345/tcp open NetBus
12346/tcp open NetBus
27665/tcp open Trinoo_Master
31337/tcp open Elite
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11

-----SNIP-----


Do you find anything suspicious on this list?

thanks

[cperciva]

Quote:

Originally posted by md2001
Do you find anything suspicious on this list?

Yes.

[DavidU]

Quote:

Originally posted by md2001

Do you find anything suspicious on this list?

If this is a real post and not a joke then the answer is "maybe." I've setup networks before where we redirect "OFF" ports on the firewall to a bogus machine to act as a network catchall and perform some pseudo-honeypot like activities.

Check to see if your host is doing this. If you have a raw, unsecured link to the net then yes there is something seriously wrong with your setup and or machine.

You need to have someone who can diagnose and repair it take a look at the machine pretty damn quick.

-davidu

[davidb]

Do you run portsentry. Portsentry opens all the ports it listens to. So if you are, you should generally be ok

[bobcares]

Hi!
This is just the nmap results.
You could see for yourseld.
type
nmap yourdomain.

The thing is that you have some unwanted ports open..... linuxconf, irc etc...
Close these...


Also, as already suggested use portsentry it is really cool...


have a great day

regards
amar

[hypernatic.net]

Dear md2001,

If you want, I am willing to help you out.

What I'll do is discuss with you what you DO need, and what you don't. And we'll be shutting everything down then.
Also, we will check if the versions you use for (e.g.) ftp have security holes...

Contact me at herps@hypernatic.net if you like...

[bobcares]

I thought I was helping out md2001
here....
I guess he needs your help more than me...
My biggest problem now is how to clean my car regularly... I wonder if you have any suggestions there...

Anyway, thanks for the offer... I wish you all the best in life...

Have a great day

regards
amar

Quote:

Originally posted by hypernatic.net
Dear Bobcares,

If you want, I am willing to help you out.

What I'll do is discuss with you what you DO need, and what you don't. And we'll be shutting everything down then.
Also, we will check if the versions you use for (e.g.) ftp have security holes...

Contact me at herps@hypernatic.net if you like...

[Tim Greer]

Quote:

Originally posted by bobcares
Hi!
This is just the nmap results.
You could see for yourseld.
type
nmap yourdomain.

The thing is that you have some unwanted ports open..... linuxconf, irc etc...
Close these...


Also, as already suggested use portsentry it is really cool...


have a great day :)

regards
amar

Actually, to be clear, I _think_ what David was saying, is that Portsentry opens up all these ports to listen on them, so that program can log and block IP's trying to connect to them -- else (if it wasn't listening) it couldn't log or block potentially abusive IP addresses that people will try and hit your server from (This is explained for the sake of the person that asked the original question to save any confusion). In other words, it's not necessarily that these ports are open and vulnerable, but that Portsentry, or another similar program/tool might be running, listening for the reasons mentioned above, and that would explain why it's reporting a ridiculously large number of non web server related ports are being open -- when in fact, they really aren't and those services aren't actually running, and that if he's running Portsentry, that he's safe, and that, yes, it is a good program/tool to use, if he is. I.e., to explain why those results were returned. Well, otherwise, there's a problem.

[hypernatic.net]

Quote:

Originally posted by bobcares
I thought I was helping out md2001
here....

...

Sorry, my bad... should have been md2001 of course..

[md2001]

Thank you very much for your answers and help.

Yes, portsentry is running on this machine. So I probably shouldn't worry. I just got worried because I received some warnings from other people.

I will however check out if everything is as it should be.


Thanks again.

[Tim Greer]

Quote:

Originally posted by md2001
Thank you very much for your answers and help.

Yes, portsentry is running on this machine. So I probably shouldn't worry. I just got worried because I received some warnings from other people.

I will however check out if everything is as it should be.


Thanks again.

Yes, then more likely than anything else, Portsentry is both your cause and solution. Again, Portsentry opens up the ports to listen on them in an unharmful manner, so those ports as showing open, as they should show, even though there's nothing behind them. You will likely see that user's IP in your route display and hosts.deny file (and/or possibly in your firewall rules or the like), assuming Portsentry is set up properly. Further, assuming it is, Portsentry has an "ignore" file and if someone ran nmap locally or from an "ignored" IP or IP block/class/range, then you won't see that IP in any of the previous I mentioned. I wouldn't worry at all about that report, given you're running Portsentry and that should most certainly be the result from nmap or other scanning tools

[Tim Greer]

Quote:

Originally posted by Tim_Greer


Yes, then more likely than anything else, Portsentry is both your cause and solution. Again, Portsentry opens up the ports to listen on them in an unharmful manner, so those ports as showing open, as they should show, even though there's nothing behind them. You will likely see that user's IP in your route display and hosts.deny file (and/or possibly in your firewall rules or the like), assuming Portsentry is set up properly. Further, assuming it is, Portsentry has an "ignore" file and if someone ran nmap locally or from an "ignored" IP or IP block/class/range, then you won't see that IP in any of the previous I mentioned. I wouldn't worry at all about that report, given you're running Portsentry and that should most certainly be the result from nmap or other scanning tools

To be clear for elaboration, it also depends on how Portsentry is configured. Some people have it set to only block an IP, log or report it, etc., if there's 3 or more attempts on the same one port.