From owner-freebsd-security Mon Feb 11 18:22: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id 817D037B49D for ; Mon, 11 Feb 2002 18:17:15 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id EFCA5231ED for ; Mon, 11 Feb 2002 21:16:50 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 2632B9EFBE; Mon, 11 Feb 2002 21:11:56 -0500 (EST) Date: Tue, 5 Feb 2002 22:24:24 -0200 (BRST) From: Paulo Fragoso To: Subject: Auditing Message-Id: <20020212021156.2632B9EFBE@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, We have a client which was using 4.2-RELEASE and telnetd enabled. In that machine was running an ircd installed and started by a hacker, probaly exploiting telnetd hole. We have instaled 4.5-RELEASE using another HD and log_vain="YES" in the rc.conf. Some time after that upgrade, someone try to connect in this machine: Connection attempt to UDP mmm.mmm.mmm.mmm:22 from hhh.hhh.hhh.hhh:1384 How can we found in the old system all mechanism to enable remotely ircd or backdoor? Are there any rootkit which it has a backdoor at UDP port 22? Paulo. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message