From owner-freebsd-security Mon Mar 5 12: 9: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 86BC537B71E for ; Mon, 5 Mar 2001 12:08:51 -0800 (PST) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f25K8Pe04811; Mon, 5 Mar 2001 12:08:25 -0800 (PST) Date: Mon, 5 Mar 2001 12:08:25 -0800 From: Alfred Perlstein To: Evren Yurtesen Cc: Dag-Erling Smorgrav , dce , security@FreeBSD.ORG Subject: Re: 31337 Message-ID: <20010305120825.W8663@fw.wintelcom.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from yurtesen@ispro.net.tr on Mon, Mar 05, 2001 at 09:36:36PM +0200 X-all-your-base: are belong to us. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Evren Yurtesen [010305 11:30] wrote: > cant it be a person who has a shell and execute some daemons etc ? like > ircd? > > why does he need to reinstall his system? Because if the box is reporting port 31337 as the 'elite' service it means someone most likely has modified /etc/services which indicates that they have attained elevated privs somehow. > > Evren > > > dce writes: > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine > > > > > > 31337/tcp open Elite > > > 6667/tcp open irc > > > > You're owned. Take your box off the net, take a backup, reinstall from > > trusted media (preferably original CD-ROMs from BSDI), transfer data > > (*no* executables, scripts or configuration files!) from backup. And > > get some security clue; the security(7) man page is a good place to > > start, though far from complete. > > > > DES > > -- > > Dag-Erling Smorgrav - des@ofug.org > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message