OpenSSL trojan: I seem to have post-install evidence?

From: D J Hawkey Jr (hawkeyd@visi.com)
Date: 08/02/02


Date: Fri, 2 Aug 2002 10:48:36 -0500
From: D J Hawkey Jr <hawkeyd@visi.com>
To: security at FreeBSD <freebsd-security@freebsd.org>

Hi All.

I need some help here. I 'csvup'd from RELENG_4_5 yesterday, and built and
installed the world, bringing my system to 4.5-RELEASE-15. I have since
seen the following in /var/log/security:

---8<---

Aug 2 10:27:15 sheol ipmon[70]: 10:27:15.792366 dc1 @1:13 b 216.196.144.24,1166 -> 208.42.101.192,6667 PR tcp len 20 48 -S IN
Aug 2 10:27:15 sheol ipmon[70]: 10:27:15.793415 dc1 @1:13 b 216.196.144.24,1167 -> 208.42.101.193,6667 PR tcp len 20 48 -S IN
Aug 2 10:27:18 sheol ipmon[70]: 10:27:18.702554 dc1 @1:13 b 216.196.144.24,1166 -> 208.42.101.192,6667 PR tcp len 20 48 -S IN
Aug 2 10:27:18 sheol ipmon[70]: 10:27:18.726508 dc1 @1:13 b 216.196.144.24,1167 -> 208.42.101.193,6667 PR tcp len 20 48 -S IN
Aug 2 10:27:24 sheol ipmon[70]: 10:27:24.710308 dc1 @1:13 b 216.196.144.24,1166 -> 208.42.101.192,6667 PR tcp len 20 48 -S IN
Aug 2 10:27:24 sheol ipmon[70]: 10:27:24.749498 dc1 @1:13 b 216.196.144.24,1167 -> 208.42.101.193,6667 PR tcp len 20 48 -S IN

--->8---

From what I've read, the trojan tries to use port 6667, and I haven't got
any such log entries to port 6667 prior to my updating to 4.5-RELEASE-p15.

Is there something undiscovered, and perhaps sinister, going on here? I'll
be happy to provide more data as requested.

Please reply by mail to me (and the list, as desired), as I'm not subscribed
to -security.

Thanks,
Dave

-- 
  ______________________                         ______________________
  \__________________   \    D. J. HAWKEY JR.   /   __________________/
     \________________/\     hawkeyd@visi.com    /\________________/
                      http://www.visi.com/~hawkeyd/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message