Date: Mon, 5 Mar 2001 16:45:44 -0500 From: "Peter C. Lai" <sirmoo@cowbert.2y.net> To: "Alfred Perlstein" <bright@wintelcom.net>, "David G. Andersen" <dga@pobox.com> Cc: "Evren Yurtesen" <yurtesen@ispro.net.tr>, "Dag-Erling Smorgrav" <des@ofug.org>, "dce" <dce@squish.org>, <security@FreeBSD.ORG> Subject: Re: 31337 Message-ID: <002d01c0a5bd$a16f45c0$1e9e6389@137.99.156.23> References: <200103052012.NAA11367@faith.cs.utah.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
most probably a luser on the system is running ircd which doesn't need elevated privs because it is binding above port 1024, and they are also trying to do some "l33t hax0ring" of winboxen using Netbus's admin tool. ----- Original Message ----- From: "David G. Andersen" <dga@pobox.com> To: "Alfred Perlstein" <bright@wintelcom.net> Cc: "Evren Yurtesen" <yurtesen@ispro.net.tr>; "Dag-Erling Smorgrav" <des@ofug.org>; "dce" <dce@squish.org>; <security@FreeBSD.ORG> Sent: Monday, March 05, 2001 3:12 PM Subject: Re: 31337 > That's not correct. Nmap has the "Elite" service name built in to > its nmap-services file. Mostly because of the obvious 5kr1p7 k11d13 > name mapping. His /etc/services is probably just fine. > > -Dave > > Lo and behold, Alfred Perlstein once said: > > > > * Evren Yurtesen <yurtesen@ispro.net.tr> [010305 11:30] wrote: > > > cant it be a person who has a shell and execute some daemons etc ? like > > > ircd? > > > > > > why does he need to reinstall his system? > > > > Because if the box is reporting port 31337 as the 'elite' service > > it means someone most likely has modified /etc/services which > > indicates that they have attained elevated privs somehow. > > > > > > > > > > Evren > > > > > > > dce <dce@squish.org> writes: > > > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine > > > > > > > > > > 31337/tcp open Elite > > > > > 6667/tcp open irc > > > > > > > > You're owned. Take your box off the net, take a backup, reinstall from > > > > trusted media (preferably original CD-ROMs from BSDI), transfer data > > > > (*no* executables, scripts or configuration files!) from backup. And > > > > get some security clue; the security(7) man page is a good place to > > > > start, though far from complete. > > > > > > > > DES > > > > -- > > > > Dag-Erling Smorgrav - des@ofug.org > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > -- > > -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > -- > work: dga@lcs.mit.edu me: dga@pobox.com > MIT Laboratory for Computer Science http://www.angio.net/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002d01c0a5bd$a16f45c0$1e9e6389>