Date: Fri, 2 Aug 2002 13:30:33 -0500 From: "Jacques A. Vidrine" <nectar@freebsd.org> To: D J Hawkey Jr <hawkeyd@visi.com> Cc: security at FreeBSD <freebsd-security@freebsd.org> Subject: Re: OpenSSL trojan: I seem to have post-install evidence? Message-ID: <20020802183033.GA18787@madman.nectar.cc> In-Reply-To: <20020802122851.A55094@sheol.localdomain> References: <20020802122851.A55094@sheol.localdomain>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 02, 2002 at 12:28:51PM -0500, D J Hawkey Jr wrote: > Aug 2 12:19:04 sheol ipmon[70]: 12:19:03.572959 dc1 @1:13 b 217.162.144.117,33247 -> 208.42.101.193,33484 PR udp len 20 40 IN > Aug 2 12:19:10 sheol ipmon[70]: 12:19:10.310476 dc1 @1:13 b 217.162.144.117,1041 -> 208.42.101.193,6667 PR tcp len 20 60 -S IN As in your previous message, these are packets that are coming INTO your system and are being dropped. High UDP ports like 33484 are indicative of traceroute. > But unlike the first, this address resolves: > > [sheol] ~$ nslookup 217.162.144.177 > Server: sheol.localdomain > Address: 192.168.16.2 > > Name: dclient217-162-144-177.hispeed.ch > Address: 217.162.144.177 > > And also unlike the first, the host tried some UDP first. > > Are we certain no exploits are in the wild, as of now? You can never be certain. There are none known though. > I won't post further on this unless it generates some interest. Yes, please don't. Cheers, -- Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020802183033.GA18787>