Re: Has my server been hacked?
From: Jeff D (xcom_at_bolt.sonic.net)
Date: 03/25/04
- Next message: Syriusz: "amavisd-new - why not on the public port ???"
- Previous message: ynotssor: "Re: Has my server been hacked?"
- In reply to: martha: "Has my server been hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 25 Mar 2004 04:13:40 GMT
On Wed, 24 Mar 2004, martha wrote:
> I have a server I use for FTP only... it's running redhat 7.3. I ran nmap
> against the box and found a list of ports in "filtered" state I did not
> expect to see. I ran two different commands "netstat -ntupa | grep LISTEN"
> and "lsof -n -P -i tcp | grep LISTEN" and see only the 3 I expect to see
> open (ftp, ssh, and webmin). Is it possible for someone to run other
> programs/open ports that netstat and lsof can't detect? Is there a better
> way of checking?
>
> TIA — Martha (noobie)
>
Do you have iptables/chains running? I am guessing you do. What you are
probably seeing here is nmap saying that it didn't get a response from the
port like it expected to. When a port is closed the server should send a
reset packet back to nmap, it didn't get one for these ports, so it thinks
that its filtered. with iptables you can block port like so:
iptables -I INPUT -p tcp --dport 666 -j DUMP
iptables -I DUMP -p tcp -j REJECT --reject-with tcp-reset
then scan port 666 and it will show closed. if you just -j DROP it will
show as filtered, because iptables just drops the packet ..
also ... if you want to check to see if the port is open, a good way to
check is just to telnet to the port, *most* of the time, not all, but
most, you will get *some* sort of response..
hth,
jeff
- Next message: Syriusz: "amavisd-new - why not on the public port ???"
- Previous message: ynotssor: "Re: Has my server been hacked?"
- In reply to: martha: "Has my server been hacked?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
