From owner-freebsd-security Fri Aug 2 10:54:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F9FA37B400 for ; Fri, 2 Aug 2002 10:54:39 -0700 (PDT) Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9A7343E77 for ; Fri, 2 Aug 2002 10:54:38 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id 9F9D95DC9 for ; Fri, 2 Aug 2002 12:28:54 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g72HSp055978 for freebsd-security@freebsd.org; Fri, 2 Aug 2002 12:28:51 -0500 (CDT) (envelope-from hawkeyd) Date: Fri, 2 Aug 2002 12:28:51 -0500 From: D J Hawkey Jr To: security at FreeBSD Subject: Re: OpenSSL trojan: I seem to have post-install evidence? Message-ID: <20020802122851.A55094@sheol.localdomain> Reply-To: hawkeyd@visi.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Earlier, I wrote: ----- Forwarded message from D J Hawkey Jr ----- Hi All. I need some help here. I 'csvup'd from RELENG_4_5 yesterday, and built and installed the world, bringing my system to 4.5-RELEASE-15. I have since seen the following in /var/log/security: ---8<--- Aug 2 10:27:15 sheol ipmon[70]: 10:27:15.792366 dc1 @1:13 b 216.196.144.24,1166 -> 208.42.101.192,6667 PR tcp len 20 48 -S IN Aug 2 10:27:15 sheol ipmon[70]: 10:27:15.793415 dc1 @1:13 b 216.196.144.24,1167 -> 208.42.101.193,6667 PR tcp len 20 48 -S IN Aug 2 10:27:18 sheol ipmon[70]: 10:27:18.702554 dc1 @1:13 b 216.196.144.24,1166 -> 208.42.101.192,6667 PR tcp len 20 48 -S IN Aug 2 10:27:18 sheol ipmon[70]: 10:27:18.726508 dc1 @1:13 b 216.196.144.24,1167 -> 208.42.101.193,6667 PR tcp len 20 48 -S IN Aug 2 10:27:24 sheol ipmon[70]: 10:27:24.710308 dc1 @1:13 b 216.196.144.24,1166 -> 208.42.101.192,6667 PR tcp len 20 48 -S IN Aug 2 10:27:24 sheol ipmon[70]: 10:27:24.749498 dc1 @1:13 b 216.196.144.24,1167 -> 208.42.101.193,6667 PR tcp len 20 48 -S IN --->8---