From owner-freebsd-security  Tue Feb  5 16:24:59 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3])
	by hub.freebsd.org (Postfix) with SMTP id 6029637B434
	for <freebsd-security@freebsd.org>; Tue,  5 Feb 2002 16:24:54 -0800 (PST)
Received: (qmail 39965 invoked from network); 6 Feb 2002 00:24:50 -0000
Received: from foker.nlink.com.br (200.249.197.10)
  by mirage.nlink.com.br with SMTP; 6 Feb 2002 00:24:50 -0000
Date: Tue, 5 Feb 2002 22:24:24 -0200 (BRST)
From: Paulo Fragoso <paulo@nlink.com.br>
To: <freebsd-security@freebsd.org>
Subject: Auditing
Message-ID: <Pine.BSF.4.33.0202052203530.494-100000@foker.nlink.com.br>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hi,

We have a client which was using 4.2-RELEASE and telnetd enabled. In that
machine was running an ircd installed and started by a hacker, probaly
exploiting telnetd hole.

We have instaled 4.5-RELEASE using another HD and log_vain="YES" in the
rc.conf. Some time after that upgrade, someone try to connect in this
machine:

Connection attempt to UDP mmm.mmm.mmm.mmm:22 from hhh.hhh.hhh.hhh:1384

How can we found in the old system all mechanism to enable remotely ircd
or backdoor? Are there any rootkit which it has a backdoor at UDP port 22?

Paulo.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message