# hacked?

## nadamsieee

A friend, who is a Gentoo newbie, complained today that his KDE and cable modem were suddenly very slow. I decided to nmap his computer and this is the output:

```
Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-02-02 19:23 EST

Interesting ports on x.x.x.x:

(The 1648 ports scanned but not shown below are in state: closed)

PORT     STATE    SERVICE

22/tcp   open     ssh

135/tcp  filtered msrpc

136/tcp  filtered profile

137/tcp  filtered netbios-ns

138/tcp  filtered netbios-dgm

139/tcp  filtered netbios-ssn

445/tcp  filtered microsoft-ds

593/tcp  filtered http-rpc-epmap

4444/tcp filtered krb524

Nmap run completed -- 1 IP address (1 host up) scanned in 33.323 seconds
```

When I run nmap on my machine, all ports are closed as expected. Does any of the above look like he has been hacked?

Thanks!

----------

## imsdunn

More information

```
# netstat

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

tcp        1      0 ::ffff:x.x.x:32773 ::ffff:128.193.0.38:www CLOSE_WAIT

tcp        1      0 ::ffff:x.x.x:32774 ::ffff:128.193.0.38:www CLOSE_WAIT

Active UNIX domain sockets (w/o servers)

Proto RefCnt Flags       Type       State         I-Node Path

unix  4      [ ]         DGRAM                    1799   /dev/log

unix  3      [ ]         STREAM     CONNECTED     5170   /tmp/.esd/socket

unix  3      [ ]         STREAM     CONNECTED     5169

unix  2      [ ]         STREAM                   5166

unix  2      [ ]         STREAM     CONNECTED     5148

unix  2      [ ]         STREAM     CONNECTED     5140

unix  3      [ ]         STREAM     CONNECTED     5118   /tmp/.ICE-unix/dcop2958-1075846847

unix  3      [ ]         STREAM     CONNECTED     5117

unix  3      [ ]         STREAM     CONNECTED     5109   /tmp/.ICE-unix/3014

unix  3      [ ]         STREAM     CONNECTED     5108

unix  3      [ ]         STREAM     CONNECTED     5107   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     5106

unix  3      [ ]         STREAM     CONNECTED     5080   /tmp/.ICE-unix/3014

unix  3      [ ]         STREAM     CONNECTED     5079

unix  3      [ ]         STREAM     CONNECTED     5076   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     5075

unix  3      [ ]         STREAM     CONNECTED     5072   /tmp/.ICE-unix/dcop2958-1075846847

unix  3      [ ]         STREAM     CONNECTED     5071

unix  3      [ ]         STREAM     CONNECTED     5051   /home/sean/.kde3.1/socket-earl/klauncherat5Rma.slave-socket

unix  3      [ ]         STREAM     CONNECTED     5050

unix  3      [ ]         STREAM     CONNECTED     5026   /tmp/.ICE-unix/3014

unix  3      [ ]         STREAM     CONNECTED     5017

unix  3      [ ]         STREAM     CONNECTED     5014   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     5013

unix  3      [ ]         STREAM     CONNECTED     5012   /tmp/.ICE-unix/dcop2958-1075846847

unix  3      [ ]         STREAM     CONNECTED     5011

unix  3      [ ]         STREAM     CONNECTED     4980   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     4979

unix  3      [ ]         STREAM     CONNECTED     4624   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     4623

unix  3      [ ]         STREAM     CONNECTED     4991   /tmp/.ICE-unix/3014

unix  3      [ ]         STREAM     CONNECTED     4612

unix  3      [ ]         STREAM     CONNECTED     4608   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     4607

unix  3      [ ]         STREAM     CONNECTED     4606   /tmp/.ICE-unix/dcop2958-1075846847

unix  3      [ ]         STREAM     CONNECTED     4605

unix  3      [ ]         STREAM     CONNECTED     4568   /tmp/.ICE-unix/3014

unix  3      [ ]         STREAM     CONNECTED     4559

unix  3      [ ]         STREAM     CONNECTED     4556   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     4555

unix  3      [ ]         STREAM     CONNECTED     4554   /tmp/.ICE-unix/dcop2958-1075846847

unix  3      [ ]         STREAM     CONNECTED     4553

unix  3      [ ]         STREAM     CONNECTED     4565   /tmp/.ICE-unix/3014

unix  3      [ ]         STREAM     CONNECTED     4551

unix  3      [ ]         STREAM     CONNECTED     4548   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     4547

unix  3      [ ]         STREAM     CONNECTED     4546   /tmp/.ICE-unix/dcop2958-1075846847

unix  3      [ ]         STREAM     CONNECTED     4545

unix  3      [ ]         STREAM     CONNECTED     4563   /tmp/.ICE-unix/3014

unix  3      [ ]         STREAM     CONNECTED     4543

unix  3      [ ]         STREAM     CONNECTED     4540   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     4539

unix  3      [ ]         STREAM     CONNECTED     4538   /tmp/.ICE-unix/dcop2958-1075846847

unix  3      [ ]         STREAM     CONNECTED     4537

unix  3      [ ]         STREAM     CONNECTED     4533   /tmp/.ICE-unix/3014

unix  3      [ ]         STREAM     CONNECTED     4532

unix  3      [ ]         STREAM     CONNECTED     4526   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     4525

unix  3      [ ]         STREAM     CONNECTED     4524   /tmp/.ICE-unix/dcop2958-1075846847

unix  3      [ ]         STREAM     CONNECTED     4523

unix  3      [ ]         STREAM     CONNECTED     4497   /tmp/.ICE-unix/3014

unix  3      [ ]         STREAM     CONNECTED     4496

unix  3      [ ]         STREAM     CONNECTED     4489   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     4488

unix  3      [ ]         STREAM     CONNECTED     4487   /tmp/.ICE-unix/dcop2958-1075846847

unix  3      [ ]         STREAM     CONNECTED     4486

unix  3      [ ]         STREAM     CONNECTED     4469   /tmp/.ICE-unix/3014

unix  3      [ ]         STREAM     CONNECTED     4468

unix  3      [ ]         STREAM     CONNECTED     4465   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     4464

unix  3      [ ]         STREAM     CONNECTED     4463   /tmp/.ICE-unix/dcop2958-1075846847

unix  3      [ ]         STREAM     CONNECTED     4462

unix  3      [ ]         STREAM     CONNECTED     4456   /tmp/.ICE-unix/dcop2958-1075846847

unix  3      [ ]         STREAM     CONNECTED     4455

unix  3      [ ]         STREAM     CONNECTED     4450   /tmp/.ICE-unix/3014

unix  3      [ ]         STREAM     CONNECTED     4449

unix  3      [ ]         STREAM     CONNECTED     4448   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     4447

unix  3      [ ]         STREAM     CONNECTED     4442   /tmp/.ICE-unix/dcop2958-1075846847

unix  3      [ ]         STREAM     CONNECTED     4441

unix  3      [ ]         STREAM     CONNECTED     4438   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     4437

unix  3      [ ]         STREAM     CONNECTED     4431   /home/sean/.kde3.1/socket-earl/kdeinit-:0

unix  3      [ ]         STREAM     CONNECTED     4430

unix  3      [ ]         STREAM     CONNECTED     4417   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     4416

unix  3      [ ]         STREAM     CONNECTED     4415   /tmp/.ICE-unix/dcop2958-1075846847

unix  3      [ ]         STREAM     CONNECTED     4414

unix  3      [ ]         STREAM     CONNECTED     4362   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     4361

unix  3      [ ]         STREAM     CONNECTED     4320   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     4319

unix  3      [ ]         STREAM     CONNECTED     4318   /tmp/.ICE-unix/dcop2958-1075846847

unix  3      [ ]         STREAM     CONNECTED     4317

unix  3      [ ]         STREAM     CONNECTED     4305   /tmp/.ICE-unix/dcop2958-1075846847

unix  3      [ ]         STREAM     CONNECTED     4304

unix  3      [ ]         STREAM     CONNECTED     4299

unix  3      [ ]         STREAM     CONNECTED     4298

unix  3      [ ]         STREAM     CONNECTED     4010   /tmp/.X11-unix/X0

unix  3      [ ]         STREAM     CONNECTED     3975

unix  2      [ ]         DGRAM                    3961

unix  2      [ ]         DGRAM                    3598

```

Please help! I am a newbie and do not know what all of this means.

----------

## imsdunn

Here is some more info that might help. I ran chkrootkit

```
# chkrootkit

ROOTDIR is `/'

Checking `amd'... not found

Checking `basename'... not infected

Checking `biff'... not found

Checking `chfn'... not infected

Checking `chsh'... not infected

Checking `cron'... not infected

Checking `date'... not infected

Checking `du'... not infected

Checking `dirname'... not infected

Checking `echo'... not infected

Checking `egrep'... not infected

Checking `env'... not infected

Checking `find'... not infected

Checking `fingerd'... not found

Checking `gpm'... not infected

Checking `grep'... not infected

Checking `hdparm'... not infected

Checking `su'... not infected

Checking `ifconfig'... not infected

Checking `inetd'... not tested

Checking `inetdconf'... not found

Checking `identd'... not found

Checking `init'... not infected

Checking `killall'... not infected

Checking `ldsopreload'... not infected

Checking `login'... not infected

Checking `ls'... not infected

Checking `lsof'... not found

Checking `mail'... not found

Checking `mingetty'... not found

Checking `netstat'... not infected

Checking `named'... not found

Checking `passwd'... not infected

Checking `pidof'... not infected

Checking `pop2'... not found

Checking `pop3'... not found

Checking `ps'... not infected

Checking `pstree'... not infected

Checking `rpcinfo'... not infected

Checking `rlogind'... not found

Checking `rshd'... not found

Checking `slogin'... not infected

Checking `sendmail'... not infected

Checking `sshd'... not infected

Checking `syslogd'... not tested

Checking `tar'... not infected

Checking `tcpd'... not infected

Checking `tcpdump'... not infected

Checking `top'... not infected

Checking `telnetd'... not found

Checking `timed'... not found

Checking `traceroute'... not found

Checking `vdir'... not found

Checking `w'... not infected

Checking `write'... not infected

Checking `aliens'... no suspect files

Searching for sniffer's logs, it may take a while... nothing found

Searching for HiDrootkit's default dir... nothing found

Searching for t0rn's default files and dirs... nothing found

Searching for t0rn's v8 defaults... nothing found

Searching for Lion Worm default files and dirs... nothing found

Searching for RSHA's default files and dir... nothing found

Searching for RH-Sharpe's default files... nothing found

Searching for Ambient's rootkit (ark) default files and dirs... nothing found

Searching for suspicious files and dirs, it may take a while...

/usr/lib/.keep /usr/lib/perl5/5.8.0/i686-linux/.packlist /usr/lib/perl5/site_perl/5.8.0/i686-linux/auto/Gtk/Gdk/Pixbuf/.packlist /usr/lib/perl5/site_perl/5.8.0/i686-linux/auto/Gtk/Gdk/ImlibImage/.packlist /usr/lib/perl5/site_perl/5.8.0/i686-linux/auto/Gtk/base/.packlist /usr/lib/perl5/site_perl/5.8.0/i686-linux/auto/Gtk/XmHTML/.packlist /usr/lib/perl5/site_perl/5.8.0/i686-linux/auto/Gimp/.packlist /usr/lib/locale/ru_RU/LC_MESSAGES/.keep /usr/lib/nsbrowser/plugins/.keep /lib/.keep /lib/dev-state/.keep

Searching for LPD Worm files and dirs... nothing found

Searching for Ramen Worm files and dirs... nothing found

Searching for Maniac files and dirs... nothing found

Searching for RK17 files and dirs... nothing found

Searching for Ducoci rootkit... nothing found

Searching for Adore Worm... nothing found

Searching for ShitC Worm... nothing found

Searching for Omega Worm... nothing found

Searching for Sadmind/IIS Worm... nothing found

Searching for MonKit... nothing found

Searching for Showtee... nothing found

Searching for OpticKit... nothing found

Searching for T.R.K... nothing found

Searching for Mithra... nothing found

Searching for OBSD rk v1... nothing found

Searching for LOC rootkit ... nothing found

Searching for Romanian rootkit ... nothing found

Searching for Suckit rootkit ... nothing found

Searching for Volc rootkit ... nothing found

Searching for Gold2 rootkit ... nothing found

Searching for TC2 Worm default files and dirs... nothing found

Searching for Anonoying rootkit default files and dirs... nothing found

Searching for ZK rootkit default files and dirs... nothing found

Searching for anomalies in shell history files... nothing found

Checking `asp'... not infected

Checking `bindshell'... not infected

Checking `lkm'... Checking `rexedcs'... not found

Checking `sniffer'...

eth0 is not promisc

Checking `wted'... 2 deletion(s) between Thu Oct  9 21:49:31 2003 and Thu Oct  9 17:55:09 2003

nothing deleted

Checking `w55808'... not infected

Checking `scalper'... not infected

Checking `slapper'... not infected

Checking `z2'...

nothing deleted

```

----------

## pakman

Those filtered ports could be due to the ISP blocking them, quite likely at the moment to limit worms spreading via the windows fileshares (on the 135-139 ones). Was the scan done at a different time to that netstat output, because ssh doesn't show up on the netstat but does on the scan, which is possibly worrying. It could indicate the netstat has been trojaned, or that ssh was stopped between the two.

btw: probably best to nmap -p 1-65535 <ip> to make sure it scans all ports, default is to skip quite a few...any hacker activity is likely to be on a high port that nmap misses on its default scan.  Notice this bit:

```
(The 1648 ports scanned but not shown below are in state: closed) 
```

theres 65536 (2^16) odd ports available  :Smile: 

----------

## nadamsieee

 *pakman wrote:*   

> Those filtered ports could be due to the ISP blocking them, quite likely at the moment to limit worms spreading via the windows fileshares (on the 135-139 ones).

 

Duh. Thanks for smacking me with the obvious stick.  :Very Happy: 

 *pakman wrote:*   

> Was the scan done at a different time to that netstat output, because ssh doesn't show up on the netstat but does on the scan, which is possibly worrying. It could indicate the netstat has been trojaned, or that ssh was stopped between the two.

 

The nmap scan and the netstat dump were done within minutes of each other while I was on the phone with imsdunn. I'm 99.9% sure he didn't shutdown ssh at any point in time.

 *pakman wrote:*   

> btw: probably best to nmap -p 1-65535 <ip> to make sure it scans all ports, default is to skip quite a few...any hacker activity is likely to be on a high port that nmap misses on its default scan.  Notice this bit:
> 
> ```
> (The 1648 ports scanned but not shown below are in state: closed) 
> ```
> ...

 

Thanks again; I wasn't aware of nmap's default behaviour. I will scan again and post anything interesting.

----------

## nadamsieee

I rescanned Sean's computer tonight:

```
# nmap -p 1-65535 x.x.x.x

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-02-08 19:57 EST

Interesting ports on hostname (x.x.x.x):

(The 65526 ports scanned but not shown below are in state: closed)

PORT     STATE    SERVICE

22/tcp   open     ssh

135/tcp  filtered msrpc

136/tcp  filtered profile

137/tcp  filtered netbios-ns

138/tcp  filtered netbios-dgm

139/tcp  filtered netbios-ssn

445/tcp  filtered microsoft-ds

593/tcp  filtered http-rpc-epmap

4444/tcp filtered krb524

Nmap run completed -- 1 IP address (1 host up) scanned in 486.653 seconds
```

Does anyone have any other ideas why his computer would have been slow? He said it is running normally tonight. Flakey hard drive maybe?

----------

## D. M. P. inc

a few reasons computers and ineternet is slow

computer been up for a while. didnt reboot cable for a while too (sometimes when isp update there server, the cable box try to update but there is conflicts. try rebooting everything coz this is the basic problem.

----------

## zeky

If nmap says port is filtered it means that something is blocking it on the way (and that way would be from your PC where you run nmap thrue some or more ISPs to the destination PC that you're scanning). It doesn NOT necessery means that this port is opened and filtered on your box.

----------

## ed0n

If I will see that output of the nmap I will not say that somebody broked 

on his box. If you want to know if somebody broked to your box 

you need to be fast and always check the logs and backup your system.

----------

## converter

 *Quote:*   

> A friend, who is a Gentoo newbie, complained today that his KDE and cable modem were suddenly very slow. I decided to nmap his computer and this is the output: 

 

If KDE is slow to start up, have your friend make sure he has the proper entry for the loopback interface in /etc/hosts:

127.0.0.1    localhost.localdomain    localhost

I seem to recall that forcing KDE to go to a DNS server to do lookups for localhost at startup can cause severe slowdowns.

----------

## imsdunn

 *Quote:*   

> a few reasons computers and ineternet is slow
> 
> computer been up for a while. didnt reboot cable for a while too (sometimes when isp update there server, the cable box try to update but there is conflicts. try rebooting everything coz this is the basic problem.
> 
> 

 

Thanks for the input. I was discussing this last night with nadams. I sometimes switch the ethernet cable from this box to my laptop without powering down and resetting the cable modem.

 *Quote:*   

> If KDE is slow to start up, have your friend make sure he has the proper entry for the loopback interface in /etc/hosts:
> 
> 127.0.0.1 localhost.localdomain localhost
> 
> I seem to recall that forcing KDE to go to a DNS server to do lookups for localhost at startup can cause severe slowdowns.
> ...

 

Thanks! I will try looking at this too!

----------

## nadamsieee

imsdunn's machine failed to boot, and he is using fsck (on his Gentoo CD) to check the partitions as I type this. fsck has found several errors thus far. So chalk this one up to a bad hard drive.

Thanks again to everyone who helped!

----------

