From owner-freebsd-security Sun Sep 23 9:30:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from poontang.schulte.org (poontang.schulte.org [209.134.156.197]) by hub.freebsd.org (Postfix) with ESMTP id 74C2B37B419 for ; Sun, 23 Sep 2001 09:30:14 -0700 (PDT) Received: from tarmap.schulte.org (tarmap.schulte.org [209.134.156.198]) by poontang.schulte.org (Postfix) with ESMTP id 437F9D15BB; Sun, 23 Sep 2001 11:30:13 -0500 (CDT) Message-Id: <5.1.0.14.0.20010923112848.0237d488@pop.schulte.org> X-Sender: schulte@pop.schulte.org X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 23 Sep 2001 11:30:12 -0500 To: Pat Wendorf , security@freebsd.org From: Christopher Schulte Subject: Re: Identify this exploit In-Reply-To: <3BAE0D83.41ACBF7B@unios.dhs.org> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:27 PM 9/23/2001 -0400, Pat Wendorf wrote: >I notice I get nearly 100 messages a day from my LOG_IN_VAIN rc.conf >option. Many of which, for the past few months has been connection >attempts to TCP port 2000, as seen here: > > > Connection attempt to TCP 209.226.99.101:2000 from 216.104.103.95:1169 > >I'm not much up on my exploits, which one is this? Could be trying to exploit a wind0wz trojan exploit: from http://www.sans.org/newlook/resources/IDFAQ/oddports.htm port 2000 Der Sp=E4her / Der Spaeher, Insane Network >-- > >Pat Wendorf -- Christopher Schulte christopher@schulte.org http://noc.schulte.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message