# 6969/tcp open  acmsoda;have i been hacked

## ewan.paton

im the 1st to admit i have been lax with security my user pasword was 12345 but i was behind a hardware firewall and since i dont keep anything important on my pc i am not that bothered more curious. 

i only have 1 non gentoo emerge install program azures java bittorrent client but no firewall on this pc.

anyways heres my nmap before i fdisk an probably do a lvm install, the only pig is now i may be tempted to have a windows partition (not for security)

```
Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-02-13 16:41 GMT

Interesting ports on xeon (127.0.0.1):

(The 1654 ports scanned but not shown below are in state: closed)

PORT     STATE SERVICE

22/tcp   open  ssh

6000/tcp open  X11

6969/tcp open  acmsoda
```

----------

## Ribs

netstat -lp will tell you what is listening at that port, assumeing it hasen't been comprimised as well. 

If you see a program you don't know about, or don't see anything for that port, it's fairly likley you've been hacked.

Looking at your logs may also give some clues, assuming the cracker hasen't altered those as well.

-Ribs.

----------

## UberLord

You just scanned 127.0.0.1 which is the lo - some ports may need to be open!

Instead, nmap the IP address of your ethernet card.

----------

## ewan.paton

heres netstat

```
# netstat -lp 192.169.1.6:6969

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 xeon:6880               *:*                     LISTEN      3369/java

tcp        0      0 *:6881                  *:*                     LISTEN      3369/java

tcp        0      0 *:6000                  *:*                     LISTEN      3183/X

tcp        0      0 *:ssh                   *:*                     LISTEN      3117/sshd

tcp        0      0 *:6969                  *:*                     LISTEN      3369/java

tcp        0      0 xeon:6010               *:*                     LISTEN      3909/3

```

as for nmaping 192,168.1.6(my dchp address) it was the same so i didnt think it mattered which i posted

----------

## pakman

6969 is the default port for bittorrent seeds so thats probably Azureus (or however its supposed to be spelt) opening it, the fact it says java in the netstat -lp output kinda confirms that.

----------

