Re: Auditing

From: Eli Dart (dart@nersc.gov)
Date: 02/06/02

Next message: cans23840361@hotmail.com: "See Real Babes (0384CuMg3-126YqKc6577@20)"
Previous message: Paulo Fragoso: "Auditing"
Maybe in reply to: Paulo Fragoso: "Auditing"
Next in thread: Rik: "Re: Auditing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Paulo Fragoso <paulo@nlink.com.br>
Date: Tue, 05 Feb 2002 16:48:40 -0800
From: Eli Dart <dart@nersc.gov>

I don't know all the details involving your particular incident, but
at one time there was a bug in PC-Anywhere that caused it to listen
on UDP port 22 (they didn't put their port number in network byte
order as I remember).

I still see scanners looking for UDP port 22 every once in a while
(script kiddies looking for poorly configured PC-Anywhere instances).

So, this could be unrelated to your incident, and just be some random
script kiddie. In general, if you turn on log_in_vain on a box that
is directly connected to the Internet, you'll see a lot of random
cruft....

--eli

In reply to Paulo Fragoso <paulo@nlink.com.br> :

> Hi,
>
> We have a client which was using 4.2-RELEASE and telnetd enabled. In that
> machine was running an ircd installed and started by a hacker, probaly
> exploiting telnetd hole.
>
> We have instaled 4.5-RELEASE using another HD and log_vain="YES" in the
> rc.conf. Some time after that upgrade, someone try to connect in this
> machine:
>
> Connection attempt to UDP mmm.mmm.mmm.mmm:22 from hhh.hhh.hhh.hhh:1384
>
> How can we found in the old system all mechanism to enable remotely ircd
> or backdoor? Are there any rootkit which it has a backdoor at UDP port 22?
>
> Paulo.
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

application/pgp-signature attachment: stored

Next message: cans23840361@hotmail.com: "See Real Babes (0384CuMg3-126YqKc6577@20)"
Previous message: Paulo Fragoso: "Auditing"
Maybe in reply to: Paulo Fragoso: "Auditing"
Next in thread: Rik: "Re: Auditing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Auditing
... I still see scanners looking for UDP port 22 every once in a while ... (script kiddies looking for poorly configured PC-Anywhere instances). ... So, this could be unrelated to your incident, and just be some random ...
(FreeBSD-Security)
RE: Cisco VPN client
... The UDP port 10000 configuration reference is proprietary to the Cisco VPN ... transit between the VPN client and the concentrator. ...
(Security-Basics)
Re: bind() udp behavior 2.6.8.1
... > clearing out a UDP connection in a firewall coming from a high port is ... Allowing a high numbered udp port to remain ... I think the current OpenAFS ...
(Linux-Kernel)
Re: Easy RRAS VPN question
... L2TP traffic at the UDP port of 1701. ... the security layer encountered a processing error during initial ... Jarryd ...
(microsoft.public.windows.server.networking)
Re: tcludp - bug when closing 1-of-2 listening ports
... It is indeed linked with zero-sized UDP packets. ... Listening on udp port: 1300 ... recv at 1300: 4 ...
(comp.lang.tcl)