Date: Tue, 16 May 2000 04:40:52 +0100 From: User Datagram Protocol <udp@closed-networks.com> To: Dann Lunsford <dann@greycat.com> Cc: freebsd-security@freebsd.org Subject: Re: UDP port 27910 being tried Message-ID: <20000516044052.B2139@closed-networks.com> In-Reply-To: <20000515200959.A474@greycat.com>; from dann@greycat.com on Mon, May 15, 2000 at 08:10:00PM -0700 References: <20000515200959.A474@greycat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dann, On Mon, May 15, 2000 at 08:10:00PM -0700, Dann Lunsford wrote: > Over the past couple of days, I've noted many instances of attempted connections > to UDP port 27910 on my 4-STABLE box. I haven't been able to find a reference > to this port on the Usual Places(tm), so this *might* be something new. Has > anyone out there seen anything of this? udp port 27910 is the port for the Quake 2 game server. It's possible that people have mistaken your box for a Quake 2 server. It's also possible that they're trying to execute arbitrary commands on your box. Read http://www.insecure.org/sploits/quake.backdoor.html formore details. Mark Zielinski of RSI/repsec reported this one. Naturally, if you're running the server in a sandbox (e.g. plain chroot w/setuid or even as far as jail) then the damage would be muchly limited in the event of this compromise occuring. > ID software blatantly put a backdoor in Quake 1/2 and QuakeWorld including both the Linux/Solaris Quake2. RCON commands sent from the subnet 192.246.40.0/24 and containing the password "tms" are automaticly executed on the server without being logged. So, filtering 192.246.40.0/24 port 27910 is probably also an option. udp spoofing is trivial. I can't believe Id did this. Regards -- Bruce M. Simpson aka 'udp' Security Analyst & UNIX Development Engineer WWW: www.closed-networks.com/~udp Dundee www.packetfactory.net/~udp United Kingdom email: udp@closed-networks.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000516044052.B2139>