Hi, I need some advice. I am working on a friend "firewall" is an RH7.0 he had it running with ipchains. I upgraded the kernel to 2.4.18 and now has iptables. The problem is that when I scan locally i see only ssh open: Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on localhost (127.0.0.1): (The 1522 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds But when I scan from a remote computer i see this: Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on x.x.x.x (x.x.x.x): (The 1517 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 1080/tcp filtered socks 8888/tcp filtered sun-answerbook Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds samba is not running there. netstat does not show any unusual connection's. the computer does not have lsof installed. if i do a ps ax i dont see a socks process either. The worst part was that I tried to use a program i found called chkrootkit-0.35, that did not find anything until the computer hung up at "Searching for suspicious files and dirs, it may take a while..." Now if I do a ps it never never completes, i never get the root # back. The program stooped when it got to Searching for suspicious files and dirs, it may take a while... Now the computer does not even respond when i send a reboot command. I tried this chkrootkit-0.35 on other computers and it never did that. The guy does not have tripwire or anything like that. My guess is that this computer was rooted before i got to it. Any feed back is welcomed David Correa Public Key http://www.linux-tech.com/linuxtech.asc Key fingerprint 7F2C E072 479D 71B4 008B 373E A284 8CDE 7659 F5D8 ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
