On Tuesday 17 January 2006 19:27, Micheal Patterson pondered:
> > The 1663 ports scanned but not shown below are in state: filtered)
> > PORT STATE SERVICE
> > 80/tcp open http
> > 554/tcp open rtsp
> > 1755/tcp open wms
> > 5190/tcp open aol
>
> Kilian, what does a sockstat show you on those systems and are there any
> nats on either of these systems that would have a redirect_address to
> something behind them?
sockstat -4l only shows up the processes serving the LAN (dnsmasq, samba) as
well as sshd:
USER COMMAND PID FD PROTOLOCAL ADDRESS FOREIGN ADDRESS
root smbd 484 18 tcp4
192.168.133.1:445 *:*
root smbd 484 19 tcp4
192.168.133.1:139 *:*
root nmbd 480 6 udp4 *:137
*:*
root nmbd 480 7 udp4 *:138
*:*
root nmbd 480 8 udp4
192.168.133.1:137 *:*
root nmbd 480 9 udp4
192.168.133.1:138 *:*
nobody dnsmasq 458 1 udp4 *:56212
*:*
nobody dnsmasq 458 3 udp4 *:53
*:*
nobody dnsmasq 458 4 tcp4 *:53
*:*
nobody dnsmasq 458 5 udp4 *:67
*:*
root sshd 432 3 tcp4 *:22
*:*
root syslogd 311 4 udp4 *:514
*:*
So nothing suspect at all here. Yes, the systems are natted(with above system
LAN on 192.168.133.0/24), using ppp -nat. I have no specific redirects set
up, and only a "allow tcp/udp from LAN to WAN/any setup keep-state" dynamic
rule, but that should be unrelated.
If my server is not compromised, how the heck could an http/rtsp/wms/aol
redirect sneak in there without me explicitly enabling it?
--
Kilian Hagemann
Climate Systems Analysis Group
University of Cape Town
Republic of South Africa
Tel(w): ++27 21 650 2748
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
