From owner-freebsd-security  Fri Aug  2 11: 7:20 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7E36937B405; Fri,  2 Aug 2002 11:07:14 -0700 (PDT)
Received: from bran.mc.mpls.visi.com (bran.mc.mpls.visi.com [208.42.156.103])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 102CB43E70; Fri,  2 Aug 2002 11:07:14 -0700 (PDT)
	(envelope-from hawkeyd@visi.com)
Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193])
	by bran.mc.mpls.visi.com (Postfix) with ESMTP
	id 4D5D9503E; Fri,  2 Aug 2002 13:07:13 -0500 (CDT)
Received: (from hawkeyd@localhost)
	by sheol.localdomain (8.11.6/8.11.6) id g72I7CB59150;
	Fri, 2 Aug 2002 13:07:12 -0500 (CDT)
	(envelope-from hawkeyd)
Date: Fri, 2 Aug 2002 13:07:12 -0500
From: D J Hawkey Jr <hawkeyd@visi.com>
To: "Jacques A. Vidrine" <nectar@FreeBSD.org>,
	security at FreeBSD <freebsd-security@FreeBSD.org>
Subject: Re: OpenSSL trojan: I seem to have post-install evidence?
Message-ID: <20020802130712.A59134@sheol.localdomain>
Reply-To: hawkeyd@visi.com
References: <20020802104836.A16486@sheol.localdomain> <20020802171914.GB50692@madman.nectar.cc>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20020802171914.GB50692@madman.nectar.cc>; from nectar@freebsd.org on Fri, Aug 02, 2002 at 12:19:14PM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Aug 02, at 12:19 PM, Jacques A. Vidrine wrote:
> 
> On Fri, Aug 02, 2002 at 10:48:36AM -0500, D J Hawkey Jr wrote:
> > Aug  2 10:27:15 sheol ipmon[70]: 10:27:15.792366 dc1 @1:13 b 216.196.144.24,1166 -> 208.42.101.192,6667 PR tcp len 20 48 -S IN
> 
> This is someone port scanning you for IRC.  (Your network
> is 208.42.101.192/something.)  It has nothing to do with
> OpenSSL or OpenSSH (which is what I assume you really meant) or
> 4.5-RELEASE-pWhatever or FreeBSD.

Ohhh, IRC uses port 6667? It's not in /etc/services, and I didn't know this.

> The trojan was never something incorporated into the FreeBSD base
> system, and the port would report a checksum mismatch.  You don't
> really have anything to worry about unless you manually fetched and
> installed the trojan'd ssh.

All righty, then! Thanks, Jacques.

> Cheers,
> Jacques A. Vidrine <n@nectar.cc>                 http://www.nectar.cc/

Dave

-- 
  ______________________                         ______________________
  \__________________   \    D. J. HAWKEY JR.   /   __________________/
     \________________/\     hawkeyd@visi.com    /\________________/
                      http://www.visi.com/~hawkeyd/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message