Date: Fri, 2 Aug 2002 12:19:14 -0500 From: "Jacques A. Vidrine" <nectar@freebsd.org> To: D J Hawkey Jr <hawkeyd@visi.com> Cc: security at FreeBSD <freebsd-security@freebsd.org> Subject: Re: OpenSSL trojan: I seem to have post-install evidence? Message-ID: <20020802171914.GB50692@madman.nectar.cc> In-Reply-To: <20020802104836.A16486@sheol.localdomain> References: <20020802104836.A16486@sheol.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 02, 2002 at 10:48:36AM -0500, D J Hawkey Jr wrote: > Aug 2 10:27:15 sheol ipmon[70]: 10:27:15.792366 dc1 @1:13 b 216.196.144.24,1166 -> 208.42.101.192,6667 PR tcp len 20 48 -S IN This is someone port scanning you for IRC. (Your network is 208.42.101.192/something.) It has nothing to do with OpenSSL or OpenSSH (which is what I assume you really meant) or 4.5-RELEASE-pWhatever or FreeBSD. > From what I've read, the trojan tries to use port 6667, and I haven't got > any such log entries to port 6667 prior to my updating to 4.5-RELEASE-p15. The trojan was never something incorporated into the FreeBSD base system, and the port would report a checksum mismatch. You don't really have anything to worry about unless you manually fetched and installed the trojan'd ssh. Cheers, -- Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020802171914.GB50692>