Running chkrootkit is the right thing to do. Maybe Justin's system is hacked?
-ntk > Strange, my nmap looks like this: > > nmap -p 1-40000 deleuze.hcoop.net > > Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-03-29 > 18:46 CEST > Interesting ports on deleuze.hcoop.net (69.90.123.67): > Not shown: 39984 closed ports > PORT STATE SERVICE > 21/tcp open ftp > 23/tcp open telnet > 25/tcp open smtp > 53/tcp open domain > 70/tcp open gopher > 111/tcp open rpcbind > 113/tcp open auth > 389/tcp open ldap > 749/tcp open kerberos-adm > 935/tcp open unknown > 993/tcp open imaps > 995/tcp open pop3s > 1053/tcp open unknown > 2105/tcp open eklogin > 2222/tcp open unknown > 3306/tcp open mysql > > Nmap finished: 1 IP address (1 host up) scanned in 425.651 seconds > > > nmap mire.hcoop.net > > Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-03-29 > 18:54 CEST > Interesting ports on 69.90.123.68: > Not shown: 1673 closed ports > PORT STATE SERVICE > 22/tcp open ssh > 53/tcp open domain > 80/tcp open http > 111/tcp open rpcbind > 113/tcp open auth > 443/tcp open https > 875/tcp open unknown > > Nmap finished: 1 IP address (1 host up) scanned in 36.929 seconds > > > > There's no mention of the subseven port.. And nothing is bound to it > on deleuze. (sudo fuser -v -n tcp PORT ). > > > > I also downloaded and ran chkrootkit (something I do periodically on > all machines), and there's nothing suspicious. > > > Is it possible that you somehow misinterpreted the results? Say, by > your workstation's strange interaction with firewalls/whatever on > your outgoing link ? > > If you run the scan again, and you see the same things, then it's a > quirk on your end. > > >> Also deleuze reports telnet being open, which doesn't seem necessary. >> Telnetting to the machine gives me the following message (machine being >> reported as deleuze.phq.org. because of my local network setup): >> >> [EMAIL PROTECTED] ~]$ telnet deleuze >> Trying 69.90.123.67... >> Connected to deleuze.phq.org (69.90.123.67). >> Escape character is '^]'. >> telnetd: No authentication provided. >> Connection closed by foreign host. > > Disabled in inetd.conf, along with kshell and klogin.. I am not sure > but those might have been enabled when you installed openbsd-inetd. > > -doc > > _______________________________________________ > HCoop-SysAdmin mailing list > [email protected] > http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin > _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
