From owner-freebsd-security Mon May 15 20:36:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (closed-networks.com [195.153.248.242]) by hub.freebsd.org (Postfix) with SMTP id 4AE7C37B9F3 for ; Mon, 15 May 2000 20:36:40 -0700 (PDT) (envelope-from udp@closed-networks.com) Received: (qmail 3622 invoked by uid 1021); 16 May 2000 03:40:52 -0000 Mail-Followup-To: freebsd-security@freebsd.org, dann@greycat.com Date: Tue, 16 May 2000 04:40:52 +0100 From: User Datagram Protocol To: Dann Lunsford Cc: freebsd-security@freebsd.org Subject: Re: UDP port 27910 being tried Message-ID: <20000516044052.B2139@closed-networks.com> Reply-To: User Datagram Protocol References: <20000515200959.A474@greycat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20000515200959.A474@greycat.com>; from dann@greycat.com on Mon, May 15, 2000 at 08:10:00PM -0700 X-Echelon: MI6 Cobra GCHQ Panavia MI5 Timberline IRA NSA Mossad CIA Copperhead Organization: Closed Networks Limited, London, UK Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dann, On Mon, May 15, 2000 at 08:10:00PM -0700, Dann Lunsford wrote: > Over the past couple of days, I've noted many instances of attempted connections > to UDP port 27910 on my 4-STABLE box. I haven't been able to find a reference > to this port on the Usual Places(tm), so this *might* be something new. Has > anyone out there seen anything of this? udp port 27910 is the port for the Quake 2 game server. It's possible that people have mistaken your box for a Quake 2 server. It's also possible that they're trying to execute arbitrary commands on your box. Read http://www.insecure.org/sploits/quake.backdoor.html formore details. Mark Zielinski of RSI/repsec reported this one. Naturally, if you're running the server in a sandbox (e.g. plain chroot w/setuid or even as far as jail) then the damage would be muchly limited in the event of this compromise occuring. > ID software blatantly put a backdoor in Quake 1/2 and QuakeWorld including both the Linux/Solaris Quake2. RCON commands sent from the subnet 192.246.40.0/24 and containing the password "tms" are automaticly executed on the server without being logged. So, filtering 192.246.40.0/24 port 27910 is probably also an option. udp spoofing is trivial. I can't believe Id did this. Regards -- Bruce M. Simpson aka 'udp' Security Analyst & UNIX Development Engineer WWW: www.closed-networks.com/~udp Dundee www.packetfactory.net/~udp United Kingdom email: udp@closed-networks.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message