From owner-freebsd-security Mon Mar 5 13:46:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from d156h168.resnet.uconn.edu (d156h168.resnet.uconn.edu [137.99.156.168]) by hub.freebsd.org (Postfix) with SMTP id B095E37B719 for ; Mon, 5 Mar 2001 13:46:11 -0800 (PST) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 32303 invoked by alias); 5 Mar 2001 21:46:41 -0000 Received: from unknown (HELO sirmoobert) (137.99.158.30) by d156h168.resnet.uconn.edu with SMTP; 5 Mar 2001 21:46:41 -0000 Message-ID: <002d01c0a5bd$a16f45c0$1e9e6389@137.99.156.23> From: "Peter C. Lai" To: "Alfred Perlstein" , "David G. Andersen" Cc: "Evren Yurtesen" , "Dag-Erling Smorgrav" , "dce" , References: <200103052012.NAA11367@faith.cs.utah.edu> Subject: Re: 31337 Date: Mon, 5 Mar 2001 16:45:44 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org most probably a luser on the system is running ircd which doesn't need elevated privs because it is binding above port 1024, and they are also trying to do some "l33t hax0ring" of winboxen using Netbus's admin tool. ----- Original Message ----- From: "David G. Andersen" To: "Alfred Perlstein" Cc: "Evren Yurtesen" ; "Dag-Erling Smorgrav" ; "dce" ; Sent: Monday, March 05, 2001 3:12 PM Subject: Re: 31337 > That's not correct. Nmap has the "Elite" service name built in to > its nmap-services file. Mostly because of the obvious 5kr1p7 k11d13 > name mapping. His /etc/services is probably just fine. > > -Dave > > Lo and behold, Alfred Perlstein once said: > > > > * Evren Yurtesen [010305 11:30] wrote: > > > cant it be a person who has a shell and execute some daemons etc ? like > > > ircd? > > > > > > why does he need to reinstall his system? > > > > Because if the box is reporting port 31337 as the 'elite' service > > it means someone most likely has modified /etc/services which > > indicates that they have attained elevated privs somehow. > > > > > > > > > > Evren > > > > > > > dce writes: > > > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine > > > > > > > > > > 31337/tcp open Elite > > > > > 6667/tcp open irc > > > > > > > > You're owned. Take your box off the net, take a backup, reinstall from > > > > trusted media (preferably original CD-ROMs from BSDI), transfer data > > > > (*no* executables, scripts or configuration files!) from backup. And > > > > get some security clue; the security(7) man page is a good place to > > > > start, though far from complete. > > > > > > > > DES > > > > -- > > > > Dag-Erling Smorgrav - des@ofug.org > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > > -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > -- > work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science http://www.angio.net/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message