From owner-freebsd-security  Mon Mar  5 12: 9: 1 2001
Delivered-To: freebsd-security@freebsd.org
Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20])
	by hub.freebsd.org (Postfix) with ESMTP id 86BC537B71E
	for <security@FreeBSD.ORG>; Mon,  5 Mar 2001 12:08:51 -0800 (PST)
	(envelope-from bright@fw.wintelcom.net)
Received: (from bright@localhost)
	by fw.wintelcom.net (8.10.0/8.10.0) id f25K8Pe04811;
	Mon, 5 Mar 2001 12:08:25 -0800 (PST)
Date: Mon, 5 Mar 2001 12:08:25 -0800
From: Alfred Perlstein <bright@wintelcom.net>
To: Evren Yurtesen <yurtesen@ispro.net.tr>
Cc: Dag-Erling Smorgrav <des@ofug.org>, dce <dce@squish.org>,
	security@FreeBSD.ORG
Subject: Re: 31337
Message-ID: <20010305120825.W8663@fw.wintelcom.net>
References: <xzp8zmkxboc.fsf@flood.ping.uio.no> <Pine.BSF.4.21.0103052135450.10197-100000@finland.ispro.net.tr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.21.0103052135450.10197-100000@finland.ispro.net.tr>; from yurtesen@ispro.net.tr on Mon, Mar 05, 2001 at 09:36:36PM +0200
X-all-your-base: are belong to us.
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

* Evren Yurtesen <yurtesen@ispro.net.tr> [010305 11:30] wrote:
> cant it be a person who has a shell and execute some daemons etc ? like
> ircd?
> 
> why does he need to reinstall his system?

Because if the box is reporting port 31337 as the 'elite' service
it means someone most likely has modified /etc/services which
indicates that they have attained elevated privs somehow.


> 
> Evren
> 
> > dce <dce@squish.org> writes:
> > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine
> > > 
> > > 31337/tcp  open        Elite
> > > 6667/tcp   open        irc
> > 
> > You're owned. Take your box off the net, take a backup, reinstall from
> > trusted media (preferably original CD-ROMs from BSDI), transfer data
> > (*no* executables, scripts or configuration files!) from backup. And
> > get some security clue; the security(7) man page is a good place to
> > start, though far from complete.
> > 
> > DES
> > -- 
> > Dag-Erling Smorgrav - des@ofug.org
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> > 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message