I've started a security audit on my server and with a simple nmap scan I discover the situation below:
Starting Nmap 5.21 ( http://nmap.org ) at 2012-10-31 17:14 CET
Nmap scan report for ********* (*********)
Host is up (0.021s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
80/tcp open http
999/tcp open garcon
6129/tcp filtered unknown
Port 80 is for HTTP and 999 is a custom port for OpenSSH daemon. But what is the 6129 filtered port? Thanks to Google I discover that this port is usually used by Dameware: a remote administrator software that I haven't installed.
I've checked the active connections with a simple "netstat -a":
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:999 *:* LISTEN
tcp 0 0 localhost.localdom:9000 *:* LISTEN
tcp 0 0 localhost.localdo:mysql *:* LISTEN
tcp 0 0 *:www *:* LISTEN
tcp 0 224 *******:999 ************:58761 ESTABLISHED
tcp6 0 0 [::]:999 [::]:* LISTEN
tcp6 0 0 [::]:www [::]:* LISTEN
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 4 [ ] DGRAM 171764732 /dev/log
unix 2 [ ACC ] STREAM LISTENING 171765031 /var/run/mysqld/mysqld.sock
unix 3 [ ] STREAM CONNECTED 208767580
unix 3 [ ] STREAM CONNECTED 208767579
unix 2 [ ] DGRAM 208767578
unix 3 [ ] STREAM CONNECTED 171765176
unix 3 [ ] STREAM CONNECTED 171765175
unix 3 [ ] STREAM CONNECTED 171765170
unix 3 [ ] STREAM CONNECTED 171765169
unix 3 [ ] STREAM CONNECTED 171765166
unix 3 [ ] STREAM CONNECTED 171765165
unix 3 [ ] STREAM CONNECTED 171765163
unix 3 [ ] STREAM CONNECTED 171765162
unix 2 [ ] DGRAM 171764989
unix 3 [ ] STREAM CONNECTED 171764716
unix 3 [ ] STREAM CONNECTED 171764715
Everything seems ok. I have installed this server only a few days ago and I'm very paranoic about security: only 2 avaiable daemons from remote (HTTP & OPENSSH), custom SSH port with RootLogin disabled, hardened webapp, iptables that drop all traffic except from 80 and 999, and many more…. Is it possible that I've been hacked?
Many thanks for your help
Best Answer
It's probably your ISP filtering outbound traffic on that port (who knows why? only they do). You are very unlikely to see it if you scan from somewhere else. If you do see it when scanning from another location (and a different ISP) then it's probably being filtered by the ISP of the server.