From owner-freebsd-security Tue Feb 5 16:48:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from osi-east2.nersc.gov (osi-east2.nersc.gov [128.55.6.20]) by hub.freebsd.org (Postfix) with ESMTP id 4F99C37B422 for ; Tue, 5 Feb 2002 16:48:48 -0800 (PST) Received: from gemini.nersc.gov (gemini.nersc.gov [128.55.16.111]) by osi-east2.nersc.gov (8.9.2/8.9.2) with ESMTP id QAA14163; Tue, 5 Feb 2002 16:48:40 -0800 (PST) Received: from gemini.nersc.gov (localhost [127.0.0.1]) by gemini.nersc.gov (Postfix) with ESMTP id 806533B1AB; Tue, 5 Feb 2002 16:48:40 -0800 (PST) X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Paulo Fragoso Cc: freebsd-security@FreeBSD.ORG Subject: Re: Auditing In-Reply-To: Message from Paulo Fragoso of "Tue, 05 Feb 2002 22:24:24 -0200." Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-932282952P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Tue, 05 Feb 2002 16:48:40 -0800 From: Eli Dart Message-Id: <20020206004840.806533B1AB@gemini.nersc.gov> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==_Exmh_-932282952P Content-Type: text/plain; charset=us-ascii I don't know all the details involving your particular incident, but at one time there was a bug in PC-Anywhere that caused it to listen on UDP port 22 (they didn't put their port number in network byte order as I remember). I still see scanners looking for UDP port 22 every once in a while (script kiddies looking for poorly configured PC-Anywhere instances). So, this could be unrelated to your incident, and just be some random script kiddie. In general, if you turn on log_in_vain on a box that is directly connected to the Internet, you'll see a lot of random cruft.... --eli In reply to Paulo Fragoso : > Hi, > > We have a client which was using 4.2-RELEASE and telnetd enabled. In that > machine was running an ircd installed and started by a hacker, probaly > exploiting telnetd hole. > > We have instaled 4.5-RELEASE using another HD and log_vain="YES" in the > rc.conf. Some time after that upgrade, someone try to connect in this > machine: > > Connection attempt to UDP mmm.mmm.mmm.mmm:22 from hhh.hhh.hhh.hhh:1384 > > How can we found in the old system all mechanism to enable remotely ircd > or backdoor? Are there any rootkit which it has a backdoor at UDP port 22? > > Paulo. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --==_Exmh_-932282952P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: This is a comment. iD8DBQE8YH1oLTFEeF+CsrMRAhd4AJ9qe+Ih9T8B/h0XLRjX/bTpNDXarwCghMxd KTYAQh0z9P4/vxVRYenWbjk= =rPAA -----END PGP SIGNATURE----- --==_Exmh_-932282952P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message