[kwlug-disc] Mysterious filtered ports on a server

[Paul Nijjar]

I am worried that a Debian server I administrate may be hacked. When I
run the following command from a different machine: 

nmap -A -v <host> 

I see the following as part of the output: 

6667/tcp filtered irc
6668/tcp filtered irc
6669/tcp filtered irc

but I do not see an IRC package installed on the server. More
worryingly, running the following command on the server: 

netstat -anp 

does not show me anything listening on any of the above ports.
Similarly rkhunter does not think that there is anything listening on
these ports. 

I installed the debsums package and that seemed to come back clean for
the net-tools package (which contains netstat). Of course, if the
server is compromised then I can't actually trust the server binaries
or any binaries I install, but it is not so easy to boot the server
from clean media either. 

Worryingly, port 111 (rpcmapper) is wide open on this server. I do not
even know how to block outside network traffic to that port. I do not
think that anything ought to talk to it. 

How can I find out what is causing the open ports 6667-6669 on my
server?

How can I monitor the server to see whether anything tries to connect
over these bad ports? 

In the worst case we have to wipe everything clean and start fresh,
but that is going to suck mightily, and I want to know what happened
first. 

-- 
http://pnijjar.freeshell.org