Re: Auditing

From: Eli Dart (dart@nersc.gov)
Date: 02/06/02

• Next message: Giorgos Keramidas: "Re: Is this evidence of a break-in attempt?"
• Previous message: David McNett: "Re: SSH"
• Maybe in reply to: Paulo Fragoso: "Auditing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

To: Paulo Fragoso <paulo@nlink.com.br>
Date: Tue, 05 Feb 2002 16:48:40 -0800
From: Eli Dart <dart@nersc.gov>

--==_Exmh_-932282952P
Content-Type: text/plain; charset=us-ascii

I don't know all the details involving your particular incident, but
at one time there was a bug in PC-Anywhere that caused it to listen
on UDP port 22 (they didn't put their port number in network byte
order as I remember).

I still see scanners looking for UDP port 22 every once in a while
(script kiddies looking for poorly configured PC-Anywhere instances).

So, this could be unrelated to your incident, and just be some random
script kiddie. In general, if you turn on log_in_vain on a box that
is directly connected to the Internet, you'll see a lot of random
cruft....

                --eli

In reply to Paulo Fragoso <paulo@nlink.com.br> :

> Hi,
>
> We have a client which was using 4.2-RELEASE and telnetd enabled. In that
> machine was running an ircd installed and started by a hacker, probaly
> exploiting telnetd hole.
>
> We have instaled 4.5-RELEASE using another HD and log_vain="YES" in the
> rc.conf. Some time after that upgrade, someone try to connect in this
> machine:
>
> Connection attempt to UDP mmm.mmm.mmm.mmm:22 from hhh.hhh.hhh.hhh:1384
>
> How can we found in the old system all mechanism to enable remotely ircd
> or backdoor? Are there any rootkit which it has a backdoor at UDP port 22?
>
> Paulo.
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

--==_Exmh_-932282952P
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: This is a comment.

iD8DBQE8YH1oLTFEeF+CsrMRAhd4AJ9qe+Ih9T8B/h0XLRjX/bTpNDXarwCghMxd
KTYAQh0z9P4/vxVRYenWbjk=
=rPAA
-----END PGP SIGNATURE-----

--==_Exmh_-932282952P--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

---

• Next message: Giorgos Keramidas: "Re: Is this evidence of a break-in attempt?"
• Previous message: David McNett: "Re: SSH"
• Maybe in reply to: Paulo Fragoso: "Auditing"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Auditing ... I still see scanners looking for UDP port 22 every once in a while ... (script kiddies looking for poorly configured PC-Anywhere instances). ... So, this could be unrelated to your incident, and just be some random ... (FreeBSD-Security) RE: Cisco VPN client ... The UDP port 10000 configuration reference is proprietary to the Cisco VPN ... transit between the VPN client and the concentrator. ... (Security-Basics) Re: bind() udp behavior 2.6.8.1 ... > clearing out a UDP connection in a firewall coming from a high port is ... Allowing a high numbered udp port to remain ... I think the current OpenAFS ... (Linux-Kernel) Re: Easy RRAS VPN question ... L2TP traffic at the UDP port of 1701. ... the security layer encountered a processing error during initial ... Jarryd ... (microsoft.public.windows.server.networking) Re: tcludp - bug when closing 1-of-2 listening ports ... It is indeed linked with zero-sized UDP packets. ... Listening on udp port: 1300 ... recv at 1300: 4 ... (comp.lang.tcl)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)