Date: Tue, 05 Feb 2002 16:48:40 -0800 From: Eli Dart <dart@nersc.gov> To: Paulo Fragoso <paulo@nlink.com.br> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Auditing Message-ID: <20020206004840.806533B1AB@gemini.nersc.gov> In-Reply-To: Message from Paulo Fragoso <paulo@nlink.com.br> of "Tue, 05 Feb 2002 22:24:24 -0200." <Pine.BSF.4.33.0202052203530.494-100000@foker.nlink.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
--==_Exmh_-932282952P Content-Type: text/plain; charset=us-ascii I don't know all the details involving your particular incident, but at one time there was a bug in PC-Anywhere that caused it to listen on UDP port 22 (they didn't put their port number in network byte order as I remember). I still see scanners looking for UDP port 22 every once in a while (script kiddies looking for poorly configured PC-Anywhere instances). So, this could be unrelated to your incident, and just be some random script kiddie. In general, if you turn on log_in_vain on a box that is directly connected to the Internet, you'll see a lot of random cruft.... --eli In reply to Paulo Fragoso <paulo@nlink.com.br> : > Hi, > > We have a client which was using 4.2-RELEASE and telnetd enabled. In that > machine was running an ircd installed and started by a hacker, probaly > exploiting telnetd hole. > > We have instaled 4.5-RELEASE using another HD and log_vain="YES" in the > rc.conf. Some time after that upgrade, someone try to connect in this > machine: > > Connection attempt to UDP mmm.mmm.mmm.mmm:22 from hhh.hhh.hhh.hhh:1384 > > How can we found in the old system all mechanism to enable remotely ircd > or backdoor? Are there any rootkit which it has a backdoor at UDP port 22? > > Paulo. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --==_Exmh_-932282952P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: This is a comment. iD8DBQE8YH1oLTFEeF+CsrMRAhd4AJ9qe+Ih9T8B/h0XLRjX/bTpNDXarwCghMxd KTYAQh0z9P4/vxVRYenWbjk= =rPAA -----END PGP SIGNATURE----- --==_Exmh_-932282952P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020206004840.806533B1AB>