Date: Mon, 5 Mar 2001 19:06:10 +0000 From: Marc Rogers <marcr@shady.org> To: security@FreeBSD.ORG Subject: Re: 31337 Message-ID: <20010305190610.X341@shady.org> In-Reply-To: <Pine.BSF.4.21.0103051112590.52387-100000@rapidnet.com>; from traviso@RapidNet.com on Mon, Mar 05, 2001 at 11:13:46AM -0700 References: <Pine.BSO.4.10.10103051008420.15904-100000@tomahawk.SQUiSH.org> <Pine.BSF.4.21.0103051112590.52387-100000@rapidnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Mar 05, 2001 at 11:13:46AM -0700, Travis [Admin Team] wrote: > On Mon, 5 Mar 2001, dce wrote: > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE machine > > > > 31337/tcp open Elite > > 6667/tcp open irc > > > > I have also noticed these open after CVSuping from 4.0-RELEASE to > > 4.2-STABLE... Is this normal? Has a rootkit been installed? Any > > information provided is greatly appreciated. > > 31337 is the ol Back Orifice remote administration tool - they are > just probing - silly kiddiez. No I believe that he is saying they are open, not that someone is probing them. There is nothing legitimate that runs on those ports out of the box. Cvsuping will only close an open port if it changes the program that is opening it in the first place. Ie if its a trojaned system binary, then cvsuping and a subsequent make world will hopefully replace it. If its a separate program, say for example running from /dev/.hidden/rootkit, then only removing the startup mechanism, and killing the program will close it. I would reccomend that you install "lsof" and use it and judicial use of netstat to identify what ports are open, which programs are listening to them and where the files are located. Do not rely entirely on netstat or any program that was in siture prior to this occurance. They may have been tampered with (bear in mind your kernel may have been tampered with aswell / or there may be hostile modules loaded.). Fresh installs are your friend. In my experience 6667 on a machine that isnt legitimately running and ircd, is most likely to be an irc port bouncer. In which case your box has been taken over by kiddies, who are using it to conceal their identities as they irc. Running lsof and netstat periodically from cron will most likely reveal their locations (or the next box in the chain that they have taken). I would guess that 31337 is their backdoor, and 6667 is their portbouncer. if you need any further assistance, feel free to drop me a line. Marc Rogers Head of Network Operations & Security EDC Group To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010305190610.X341>