From owner-freebsd-questions  Wed Jan 23  8:30:31 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from florida-wireless.com (mailserver.florida-wireless.com [208.62.145.34])
	by hub.freebsd.org (Postfix) with ESMTP id 8F93E37B404
	for <FreeBSD-Questions@FreeBSD.ORG>; Wed, 23 Jan 2002 08:30:28 -0800 (PST)
Received: from mdd [208.62.145.61] by florida-wireless.com
  (SMTPD32-7.05) id A5E23B7800BA; Wed, 23 Jan 2002 11:33:38 -0500
Message-ID: <001901c1a42c$fb4c4340$19a8a8c0@mdd>
From: "fla wire" <mdewar@florida-wireless.com>
To: "FreeBSD Questions" <FreeBSD-Questions@FreeBSD.ORG>
Subject: Backdoors/hacks and others.
Date: Wed, 23 Jan 2002 11:42:42 -0500
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hello,
Portsentry is saying my machine is attacking one of my computers on port
161.

Jan 23 09:22:29 games portsentry[334]: attackalert: Connect from host:
208.62.145.45/208.62.145.45 to UDP port: 161

I did a search on port 161 and it says its for snmp. I do not have any snmp
programs running on either machine.

This is my NT machine I use to surf,grab emails etc. No servers running on
it either.

This got my paranoid cuz I was hacked with the adorebsd on freebsd machine
several months ago.

So using NmapNT I scanned each machine.
Nothing was found out of the ordinary on the machine that is "attacking" in
the above message.

Scanning two freebsd machines NmapNT says that ports 12345, 12346 are open
with NetBus.
Also that 31337 are open with Elite.  I did google searches and went to
several sites and they all said that these are windows only hacks.

Also that on port 27665 trinoo_master is listed as open.

I have gone to several sites like the http://www.fedcirc.gov/ and done what
any site has said to determine if ther e is these things on my systems but I
can not find them.

I could use some help as I am a unix newbie and sure that I am missing or
not looking in the right places.
Hopefully just over paranoid.

Mark


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message