[redline@lieutenant redline]$ nmap redline

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ (http://www.insecure.org/nmap/) )
(The 1512 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
111/tcp open sunrpc
1024/tcp open kdm
1524/tcp filtered ingreslock
6000/tcp open X11
12345/tcp filtered NetBus
12346/tcp filtered NetBus
27665/tcp filtered Trinoo_Master
31337/tcp filtered Elite

Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds

[ 12 November 2001: Message edited by: redline ]

Since I don't think anyone has ported the netbus server to linux, my guess is you run portsentry or some sort of similiar ids.

The "filtered" ports weren't there as of mid last week, adn I haven't installed or reconfigured anything diffrently since then. Could it be I am hacked?

redline

With all that "stuff" running - I would say it is very possible. Telnet is relatively easy to break into, and that 'sunrpc' also has some known security holes.

As for those filtered items. All trojan horse programs. As far as I know, they do not run under Linux - but - I haven't checked in awhile. I'd definitely recommend getting IP chains up, and taking down those services. Quickly.


Dark Ninja

There is a utility called lsof that you could find on google or freshmeat.net, if you don't have it. It'll tell you what programs are really running on those sockets. If you do have lsof installed you should verify it against a "fresh" version with md5sum. HTH
~Jeff

when i setup my box with iptables, i scanned myself with nmap and got a state of "filtered" as well for all the ports that i blocked.

so i think its normal