Home / ubuntu / Questions / 433062
In Process
black
Asked: 2014-03-12 23:18:05 +0800 CST

using nmap for information regarding web host

  • 772

am trying to get info of host run in linux about open/closed port the host is attacked randomly by hackers changing the content of the page.deleting files,homepage content changed.

how can it be stopped? i scan ports using nmap i found it normal to have ports open like 3306 for mysql 80 for apache and other like mail server pop3 the list of open ports are:

21/tcp ftp

22/tcp ssh

53/tcp domain

80/tcp http

110/tcp pop3

143/tcp imap

443/tcp https

587/tcp submission

993/tcp imaps

995/tcp pop3s

3306/tcp mysql

when i use scan firewall protected for a Network

# nmap -sA 192.168.1.77

You requested a scan type which requires root privileges. 
QUITTING!

what tools to be used rather than nmap to take control over hacking? any ideas or concept how to stop this nuisance

referring to here for using nmap

server

3 Answers

  1. The nmap tool will help you to draw a map of the services available from the outside world to your server. As such, it won't help you to protect your server but will tell you where to pay attention. The more open ports you have, the more potential problems you may have.

    An open source tool like OpenVAS will be certainly more helpfull to you. OpenVAS is vulnerability scanner that will not only show which ports are open on your server(s) but also try various kind of well-know attacks on these services and report what he found, with link to official security news explaining what the vulnerability is and how to overcome it.

    Running this tool on your server will certainly help you to understand how it is possible that your server is regularly hacked.

    To secure the servers I'm responsible for, I follow these guidelines :

    1. Reducing the number of open ports
    2. Reducing the number of installed software to what is stricly necessary
    3. Removing unwanted users and groups
    4. Be sure that each users has a good password or are locked in case of system accounts
    5. For each application running, review the security guidelines available in their official documentation
    6. Performing software update when available
    7. Enabling a valid logging and auditing mechanism to be able to determine how the hacking was done

    An successful attack can be a combination of multiple factors : e.g. : weak password allowing unwanted FTP access, bad FTP configuration allowing to go the web root, bad permissions on filesystem allowing to write in the web root.

    At your place, I would review all my users password, my FTP setup, my web server setup, the permissions in use and also I would have a look to the log files to see if I can find back a trace of the commands that were run to try understand where the weakness really lay. A tool like OpenVAS will help you to figure out what is possible to do on your server you'd never thinked about.

    • 3

  2. To overcome the following message :

     nmap -sS --privileged --send-eth 192.168.1.77

    So nmap will overcome the fact to have a root privileges .

    Or use this tutorial to run it as privileged user Site .

    • 0

  3. If you have an active intrusion, scanning with Nmap is not going to get you anywhere. You need to replace the server with a properly-secured one and do forensics on the old one to determine the way the attackers got in. Linode has a decent guide to securing a server here.

    • 0