Thomas Lamy wrote:
And again, as always mentioned on this list: If the machine was attacked and you have finished the forensic analysis, format the harddisk and do a fresh install from CD-ROM. It sure would help if you knew how the attacker came in, and which other machines on your net have also been compromised...
OK I think I have found the problem ( crossing my fingers for an expert verification) It's the firewall-custom rules generating these I have tried with and without the custom rules and nmap gave different results without custome rules Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Host localhost (127.0.0.1) appears to be up ... good. Initiating FIN,NULL, UDP, or Xmas stealth scan against localhost (127.0.0.1) The UDP or stealth FIN/NULL/XMAS scan took 7 seconds to scan 1523 ports. Interesting ports on localhost (127.0.0.1): (The 1511 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 119/tcp open nntp 444/tcp open snpp 515/tcp open printer 888/tcp open accessbuilder 4557/tcp open fax 4559/tcp open hylafax 6000/tcp open X11 with custom rules Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Host localhost (127.0.0.1) appears to be up ... good. Initiating FIN,NULL, UDP, or Xmas stealth scan against localhost (127.0.0.1) The UDP or stealth FIN/NULL/XMAS scan took 5 seconds to scan 1523 ports. Interesting ports on localhost (127.0.0.1): (The 1508 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 119/tcp open nntp 444/tcp open snpp 515/tcp open printer 888/tcp open accessbuilder 4557/tcp open fax 4559/tcp open hylafax 6000/tcp open X11 12345/tcp open NetBus 12346/tcp open NetBus 31337/tcp open Elite -- Togan Muftuoglu