From owner-freebsd-bugs  Wed Jul 25  4:45:52 2001
Delivered-To: freebsd-bugs@freebsd.org
Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.39])
	by hub.freebsd.org (Postfix) with SMTP id 375A637B401
	for <freebsd-bugs@freebsd.org>; Wed, 25 Jul 2001 04:45:45 -0700 (PDT)
	(envelope-from roam@orbitel.bg)
Received: (qmail 7028 invoked by uid 1000); 25 Jul 2001 11:44:52 -0000
Date: Wed, 25 Jul 2001 14:44:52 +0300
From: Peter Pentchev <roam@orbitel.bg>
To: jett <tayerv@team.ph.inter.net>
Cc: freebsd-bugs <freebsd-bugs@freebsd.org>
Subject: Re: broken into via ssh?
Message-ID: <20010725144452.A84551@ringworld.oblivion.bg>
Mail-Followup-To: jett <tayerv@team.ph.inter.net>,
	freebsd-bugs <freebsd-bugs@freebsd.org>
References: <013401c114b2$20c37860$4b443dca@jett>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <013401c114b2$20c37860$4b443dca@jett>; from tayerv@team.ph.inter.net on Wed, Jul 25, 2001 at 10:33:01AM +0800
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org

On Wed, Jul 25, 2001 at 10:33:01AM +0800, jett wrote:
> im running freebsd 3.5-stable 
> when i did netstat -an | grep LISTEN
> 
> here's the result
> 
> bash-2.04$ netstat -an | grep LISTEN
> tcp        0      0 *.80                  *.*                   LISTEN
> tcp        0      0 *.443                 *.*                   LISTEN
> tcp        0      0 *.31341               *.*                   LISTEN
> tcp        0      0 *.22                  *.*                   LISTEN
> 
> noticed the 31341 port that is listening
> then i did 
> 
> bash-2.04$ telnet localhost 31341
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> SSH-1.5-1.2.27
> 
> then on port 22
> bash-2.04$ telnet localhost 22
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
> SSH-1.5-OpenSSH_2.9p2
> 
> i was surprised that i was running two different versions of ssh. was my server broken into?

As Bill Fumerola said, almost certainly.

To answer the question in your other message, no, there have been no recent
SSH (or in particular, OpenSSH) buglets uncovered.  There has been a problem
with ssh.com's SSH 3.0.0, but it definitely does not apply to OpenSSH.

From looking at your services list it would seem that either httpd by itself,
or some script you have on your website was used to break in.

G'luck,
Peter

-- 
This sentence contains exactly threee erors.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message