Firewall hacked... :(

[M. Scholz]

Unfortunately, it would appear that CERT has changed the layout of their
ftp site, so Dave's site no longer points to the correct links.  If it had
been there, I would have followed those steps...

So, here's a complete log of my reasoning, and a couple of questions.
Does anyone know of @home filtering these ports?  otherwise I have a weird
problem...

Upon further examination of my machine, I think I may have been the victim
of a false positive.  I put a new "self made" checker on my machine, which
gave me some strange results, ran an nmap locally, and got only the
expected ports, didn't trust those results and ran an nmap from an outside
machine and got:
Starting nmap V. 2.30BETA17 by fyodor at insecure.org (
www.insecure.org/nmap/ )
Interesting ports on (x.x.x.x):
Port       State       Service
22/tcp     open        ssh
25/tcp     filtered    smtp
80/tcp     filtered    http
137/tcp    filtered    netbios-ns
138/tcp    filtered    netbios-dgm
139/tcp    filtered    netbios-ssn
443/tcp    filtered    https
445/tcp    filtered    microsoft-ds
1080/tcp   filtered    socks


Note the "Filtered" comments.

ports 22, 25, 80 and 443 are accounted for.
Needless to say I was concerned, that was when I sent out this morning's
message.

after some diagnostics, I put a new machine in.  I was having some
masquerading trouble in iptables, so I ran another nmap from the foreign
location, and got something similar (no https, http, or smtp because I
hadn't opened them).  So I decided to check something out...

an nmap of my gateway from the local machine gives me:
23/tcp     open        telnet
137/tcp    filtered    netbios-ns
138/tcp    filtered    netbios-dgm
139/tcp    filtered    netbios-ssn
445/tcp    filtered    microsoft-ds
2001/tcp   open        dc

which accounts for everything except socks, telnet and dc.

so, now curious, I run the nmap of the gateway from the outside machine:
Port       State       Service
23/tcp     open        telnet
2001/tcp   open        dc

*OK, so now I know about telnet and dc.  what about socks?  A scan of my
subnet neighbor shows this:

137/tcp    filtered    netbios-ns
138/tcp    filtered    netbios-dgm
139/tcp    filtered    netbios-ssn
445/tcp    filtered    microsoft-ds
1080/tcp   filtered    socks

and there's socks again.
So once again, I am forced to believe that, while prudent, my assumption
may have been overzealous.

any other thoughts?

-Matthew Scholz
			Where does Thinking end,
			    and Feeling ...

On Mon, 6 Aug 2001, Cliff wrote:

> Since I've had to use his page, check out Dave D's page at
> http://www.washington.edu/People/dad/.  It has so much information,
> you're head will explode :)
>
> Cliff
>
>