From owner-freebsd-security  Mon Mar  5 14:22: 4 2001
Delivered-To: freebsd-security@freebsd.org
Received: from equinox.datasyrge.net (ool-18ba2d21.dyn.optonline.net [24.186.45.33])
	by hub.freebsd.org (Postfix) with ESMTP id DA45037B718
	for <security@FreeBSD.ORG>; Mon,  5 Mar 2001 14:21:56 -0800 (PST)
	(envelope-from jslivko@datasyrge.net)
Received: from localhost (jslivko@localhost)
	by equinox.datasyrge.net (8.9.3/8.9.3) with ESMTP id RAA13806;
	Mon, 5 Mar 2001 17:24:23 -0500
Date: Mon, 5 Mar 2001 17:24:23 -0500 (EST)
From: "Jonathan M. Slivko" <jslivko@datasyrge.net>
To: Chris Byrnes <chris@jeah.net>
Cc: dce <dce@squish.org>, security@FreeBSD.ORG
Subject: RE: 31337
In-Reply-To: <Pine.BSF.4.33.0103051612380.45434-100000@awww.jeah.net>
Message-ID: <Pine.LNX.4.21.0103051721220.13795-100000@equinox.datasyrge.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

I would just like to add that there is a port in the current ports
collection which is called boserver which *emulates* a basic BO server and
runs on port 31137, etc. However, while this may not be the case, I would
just like to point out that someone other than dce may have installed the
port, assuming that someone else has root access on the machine besides
himself. However, if thats not the case and he didn't install the port
himself, i'm not sure. However, I would be very cautious with the machine
from now on, just in case it was comprimised, untill some kind of real
viable proof is shown in this case. Just my 2 cents. -- Jonathan M. Slivko
 
On Mon, 5 Mar 2001, Chris Byrnes wrote:

> Heh, an IRCD is running on the machine, EliteIRCD.
> 
> 
> + Chris Byrnes, chris@JEAH.net
>  + JEAH Communications
>   + 1-866-AWW-JEAH (Toll-Free)
> 
> 
> On Mon, 5 Mar 2001, dce wrote:
> 
> > Hello,
> >
> > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine
> >
> > 31337/tcp  open        Elite
> > 6667/tcp   open        irc
> >
> >
> > I have also noticed these open after CVSuping from 4.0-RELEASE to
> > 4.2-STABLE... Is this normal? Has a rootkit been installed? Any
> > information provided is greatly appreciated.
> >
> >
> >
> >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> >
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 

-- 
|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|
| Jonathan M. Slivko <jslivko@datasyrge.net>       |
| Global IRC Operator, AsylumNet IRC Networks      |
| Webpage: http://jslivko.datasyrge.net/           |
|                                                  |
|"Microsoft, is that some kind of toilet paper?    |
|"FreeeBSD: The Power to Serve -- www.freebsd.org" |
|~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~|


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message