From owner-freebsd-security Fri Aug 2 10:19:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F0E3837B400 for ; Fri, 2 Aug 2002 10:19:15 -0700 (PDT) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7176C43E70 for ; Fri, 2 Aug 2002 10:19:15 -0700 (PDT) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id D269A10; Fri, 2 Aug 2002 12:19:14 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g72HJEU4050943; Fri, 2 Aug 2002 12:19:14 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g72HJE3r050942; Fri, 2 Aug 2002 12:19:14 -0500 (CDT) Date: Fri, 2 Aug 2002 12:19:14 -0500 From: "Jacques A. Vidrine" To: D J Hawkey Jr Cc: security at FreeBSD Subject: Re: OpenSSL trojan: I seem to have post-install evidence? Message-ID: <20020802171914.GB50692@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , D J Hawkey Jr , security at FreeBSD References: <20020802104836.A16486@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020802104836.A16486@sheol.localdomain> X-Url: http://www.nectar.cc/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Aug 02, 2002 at 10:48:36AM -0500, D J Hawkey Jr wrote: > Aug 2 10:27:15 sheol ipmon[70]: 10:27:15.792366 dc1 @1:13 b 216.196.144.24,1166 -> 208.42.101.192,6667 PR tcp len 20 48 -S IN This is someone port scanning you for IRC. (Your network is 208.42.101.192/something.) It has nothing to do with OpenSSL or OpenSSH (which is what I assume you really meant) or 4.5-RELEASE-pWhatever or FreeBSD. > From what I've read, the trojan tries to use port 6667, and I haven't got > any such log entries to port 6667 prior to my updating to 4.5-RELEASE-p15. The trojan was never something incorporated into the FreeBSD base system, and the port would report a checksum mismatch. You don't really have anything to worry about unless you manually fetched and installed the trojan'd ssh. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message