John Hasler wrote:
Does nmap claim there is actually something listening on port 21 or is it that the port is simply not "stealthed"? Post the actual nmap output. Some security sites (such as www.grc.com) make the (IMHO bogus) claim that not having all ports "stealthed" is a security risk. Your friend may have seen this and misunderstood.
This is his nmap output. Hope it helps. This is all I got. #nmap myserverPORT STATE SERVICE 21/tcp open ftp 22/tcp filtered ssh 80/tcp filtered http 389/tcp filtered ldap
443/tcp filtered https 993/tcp filtered imaps 8080/tcp filtered http-proxy
Rod writes:So he asked other people and they told him that his machine was hacked. The lsof and netstat was modified. The port 21 was a backdoor placed by the hacker.
That's the thing that bothers me those people that suggested him this jumped into the conclusion with asking or doing any verification or maybe a previous experience from others. They just plainly told him that he was "hacked" and any binary(netstat, lsof, etc) that may help him had been replaced.It does not seem plausible that a cracker would install a rootkit that would listen on the standard port. Do you have any reason to believe that these other people know what they are talking about?
Anyway I just got another lead on his situation. I learned from my seniors from there past experience this may had been a bug in the Cisco IOS version that was between the user and the server. Anyway thanks for the info and I appreciate everyone's help.
--Rod