From owner-freebsd-security Wed Dec 13 8:42:56 2000 From owner-freebsd-security@FreeBSD.ORG Wed Dec 13 08:42:52 2000 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 8965537B400 for ; Wed, 13 Dec 2000 08:42:51 -0800 (PST) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id RAA00383; Wed, 13 Dec 2000 17:42:49 +0100 (MET) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 146EzR-0000MM-00 for ; Wed, 13 Dec 2000 17:42:49 +0100 Date: Wed, 13 Dec 2000 17:42:49 +0100 From: Szilveszter Adam To: freebsd-security@FreeBSD.ORG Subject: Re: 911 lockdown! Message-ID: <20001213174249.L24233@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Wed, Dec 13, 2000 at 05:32:35PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! On Wed, Dec 13, 2000 at 05:32:35PM +0100, Dag-Erling Smorgrav wrote: > > 587/tcp open submission > > This is probably a back door the intruder left behind. Use sockstat(1) > to determine which process owns the socket, and kill it (and make sure > it doesn't restart when you reboot) > Uhm, if he is running sendmail (a recent version,) than it may be just that: sendmail now runs on two ports, 25 and 587 unless configured otherwise. OTB it will listen on both ports. Esp since he said that telnetting to this port starts up a sendmail which is expected behaviour. -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message