From owner-freebsd-security Mon Mar 5 12:14: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 8102D37B71A for ; Mon, 5 Mar 2001 12:13:58 -0800 (PST) (envelope-from danderse@cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id NAA11367; Mon, 5 Mar 2001 13:12:25 -0700 (MST) Message-Id: <200103052012.NAA11367@faith.cs.utah.edu> Subject: Re: 31337 To: bright@wintelcom.net (Alfred Perlstein) Date: Mon, 5 Mar 2001 13:12:25 -0700 (MST) Cc: yurtesen@ispro.net.tr (Evren Yurtesen), des@ofug.org (Dag-Erling Smorgrav), dce@squish.org (dce), security@FreeBSD.ORG In-Reply-To: <20010305120825.W8663@fw.wintelcom.net> from "Alfred Perlstein" at Mar 05, 2001 12:08:25 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That's not correct. Nmap has the "Elite" service name built in to its nmap-services file. Mostly because of the obvious 5kr1p7 k11d13 name mapping. His /etc/services is probably just fine. -Dave Lo and behold, Alfred Perlstein once said: > > * Evren Yurtesen [010305 11:30] wrote: > > cant it be a person who has a shell and execute some daemons etc ? like > > ircd? > > > > why does he need to reinstall his system? > > Because if the box is reporting port 31337 as the 'elite' service > it means someone most likely has modified /etc/services which > indicates that they have attained elevated privs somehow. > > > > > > Evren > > > > > dce writes: > > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine > > > > > > > > 31337/tcp open Elite > > > > 6667/tcp open irc > > > > > > You're owned. Take your box off the net, take a backup, reinstall from > > > trusted media (preferably original CD-ROMs from BSDI), transfer data > > > (*no* executables, scripts or configuration files!) from backup. And > > > get some security clue; the security(7) man page is a good place to > > > start, though far from complete. > > > > > > DES > > > -- > > > Dag-Erling Smorgrav - des@ofug.org > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message