Nmap reports these ports as "filtered" because they arent returning "closed messages", your firewall rules probably has "DROP" instead of "REJECT" for connections on these ports, check that. About the chkrootkit problem, I dont know what may be happening, sorry. Italo. David Correa wrote: > Hi, > > I need some advice. > > I am working on a friend "firewall" is an RH7.0 > he had it running with ipchains. I upgraded the kernel > to 2.4.18 and now has iptables. The problem is > that when I scan locally i see only ssh open: > > Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ > ) > Interesting ports on localhost (127.0.0.1): > (The 1522 ports scanned but not shown below are in state: closed) > Port State Service > 22/tcp open ssh > > Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds > > But when I scan from a remote computer i see this: > > Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ > ) > Interesting ports on x.x.x.x (x.x.x.x): > (The 1517 ports scanned but not shown below are in state: closed) > Port State Service > 22/tcp open ssh > 137/tcp filtered netbios-ns > 138/tcp filtered netbios-dgm > 139/tcp filtered netbios-ssn > 1080/tcp filtered socks > 8888/tcp filtered sun-answerbook > > Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds > > samba is not running there. netstat does not show > any unusual connection's. the computer does not have lsof installed. > > if i do a ps ax i dont see a socks process either. > > The worst part was that I tried to use a program i found > called chkrootkit-0.35, that did not find anything until the computer > hung up at "Searching for suspicious files and dirs, it may take a > while..." > > Now if I do a ps it never never completes, i never get > the root # back. The program stooped when it got to > Searching for suspicious files and dirs, it may take a while... > Now the computer does not even respond when i send a reboot > command. > > I tried this chkrootkit-0.35 on other computers and it never did that. > > The guy does not have tripwire or anything like that. > > My guess is that this computer was rooted before i got to it. > > Any feed back is welcomed > > David Correa > Public Key http://www.linux-tech.com/linuxtech.asc > Key fingerprint 7F2C E072 479D 71B4 008B 373E A284 8CDE 7659 F5D8 > > > > - > ---------------------------------------------------------------------- > > To unsubscribe email security-discuss-request@linuxsecurity.com > with "unsubscribe" in the subject of the message. ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
