Find the answer to your Linux question:
Results 1 to 3 of 3
i was nmaping myself to see what results i got, but im not completely sure if my machine has been compromised, or what to do about it. i did: sudo ...
  1. 08-23-2005 #1
    st@sh
    st@sh is offline
    Just Joined!
    Join Date
    Apr 2005
    Posts
    3

    nmaping 127.0.0.1

    i was nmaping myself to see what results i got, but im not completely sure if my machine has been compromised, or what to do about it.

    i did:

    sudo nmap -sS -O 127.0.0.1

    1/tcp open tcpmux
    11/tcp open systat
    15/tcp open netstat
    22/tcp open ssh
    25/tcp open smtp
    79/tcp open finger
    80/tcp open http
    111/tcp open rpcbind
    119/tcp open nntp
    143/tcp open imap
    540/tcp open uucp
    631/tcp open ipp
    635/tcp open unknown
    1080/tcp open socks
    1524/tcp open ingreslock
    2000/tcp open callbook
    6667/tcp open irc
    9999/tcp open abyss
    12345/tcp open NetBus
    12346/tcp open NetBus
    27665/tcp open Trinoo_Master
    31337/tcp open Elite
    32771/tcp open sometimes-rpc5
    32772/tcp open sometimes-rpc7
    32773/tcp open sometimes-rpc9
    32774/tcp open sometimes-rpc11
    54320/tcp open bo2k

    i am running ubuntu with firestarter as my firewall, and am behind a wireless router.

    any help would be appreciated.
    Reply With Quote Reply With Quote
  2. 08-24-2005 #2
    lakerdonald
    lakerdonald is offline
    Linux Guru lakerdonald's Avatar
    Join Date
    Jun 2004
    Location
    St. Petersburg, FL
    Posts
    5,035
    If you want to see what's actually open to the public, you should nmap your router.
    the lost art of found sound
    Reply With Quote Reply With Quote
  3. 08-24-2005 #3
    Krendoshazin
    Krendoshazin is offline
    Linux User Krendoshazin's Avatar
    Join Date
    Feb 2005
    Location
    London, England
    Posts
    385
    The first thing to do is to figure out what exactly is accessing what, you can do this with the command 'netstat -nep', if you've been rooted then chances are netstat has been modified to not show you that information, same with the process commands.
    After this run rkhunter, you'll need to install it and run 'rkhunter -c' as root in order to check out the entire system, it would be best to download the package and then disconnect yourself from the net while you do this, this will reveal the state of your system if it has been compromised.

    From the looks of your nmap output I'd say that you have, although don't take my word for it as I can't say for sure and I don't wish to cause unnecessary panic, if this turns out to be the case the best thing you can do is to keep it off the net and try to find out as much information as possible.
    Most people upon finding out something like this would immediately reinstall their system, this is not a good idea for several reasons, how did you get cracked, were you running as root, did you download a bad package, is the copy of the distro legitimate, these are questions you'll need to ask yourself in order for it to not occur again.

    If you're running as root, don't, if a package is compromised, which package? if the distro is not legitimate make sure you download it from an official source, once these questions have been answered, then is the time to plan a course of action occordingly.

    Good luck and I hope that helps, don't forget to tell us how things go.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

...