OpenSSL trojan: I seem to have post-install evidence?

From: D J Hawkey Jr (hawkeyd@visi.com)
Date: 08/02/02


Date: Fri, 2 Aug 2002 10:48:36 -0500
From: D J Hawkey Jr <hawkeyd@visi.com>
To: security at FreeBSD <freebsd-security@freebsd.org>

Hi All.

I need some help here. I 'csvup'd from RELENG_4_5 yesterday, and built and
installed the world, bringing my system to 4.5-RELEASE-15. I have since
seen the following in /var/log/security:

---8<---

Aug 2 10:27:15 sheol ipmon[70]: 10:27:15.792366 dc1 @1:13 b 216.196.144.24,1166 -> 208.42.101.192,6667 PR tcp len 20 48 -S IN
Aug 2 10:27:15 sheol ipmon[70]: 10:27:15.793415 dc1 @1:13 b 216.196.144.24,1167 -> 208.42.101.193,6667 PR tcp len 20 48 -S IN
Aug 2 10:27:18 sheol ipmon[70]: 10:27:18.702554 dc1 @1:13 b 216.196.144.24,1166 -> 208.42.101.192,6667 PR tcp len 20 48 -S IN
Aug 2 10:27:18 sheol ipmon[70]: 10:27:18.726508 dc1 @1:13 b 216.196.144.24,1167 -> 208.42.101.193,6667 PR tcp len 20 48 -S IN
Aug 2 10:27:24 sheol ipmon[70]: 10:27:24.710308 dc1 @1:13 b 216.196.144.24,1166 -> 208.42.101.192,6667 PR tcp len 20 48 -S IN
Aug 2 10:27:24 sheol ipmon[70]: 10:27:24.749498 dc1 @1:13 b 216.196.144.24,1167 -> 208.42.101.193,6667 PR tcp len 20 48 -S IN

--->8---

From what I've read, the trojan tries to use port 6667, and I haven't got
any such log entries to port 6667 prior to my updating to 4.5-RELEASE-p15.

Is there something undiscovered, and perhaps sinister, going on here? I'll
be happy to provide more data as requested.

Please reply by mail to me (and the list, as desired), as I'm not subscribed
to -security.

Thanks,
Dave

-- 
  ______________________                         ______________________
  \__________________   \    D. J. HAWKEY JR.   /   __________________/
     \________________/\     hawkeyd@visi.com    /\________________/
                      http://www.visi.com/~hawkeyd/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: OT: FOAK: LAN without WAN setup for easy public access
    ... by a custom built device (TAG Heuer kit is excellent but pricey). ... all else fails but that it just displays the times on a built in LCD ... ' CommOpen - Opens/Initializes serial port. ... Dim lngStatus As Long ...
    (uk.rec.motorcycles)
  • Re: xorg 7.2 start problem
    ... port. ... Almost everybody reads UPDATING. ... them responsible because they did not advice you properly in time. ... And that is exactly the same thing with xorg, ipfw, /etc or anything which we ...
    (freebsd-stable)
  • Re: Runaway ProFTP?
    ... \FYI for anyone that is following my thread on updating one single port: ... must have a somwhat busted installation. ... Using port upgrade failed ... ...
    (freebsd-questions)
  • Re: Where does a port store a saved configuration file?
    ... I should have specified that the port never properly ... built and installed itself. ... >> to include during the make install. ... > Snort 2.0 yet. ...
    (freebsd-questions)
  • Re: "unable to completely remove directory" during deinstall
    ... couldn't entirely delete package (perhaps the packing list ... It occurs at the end of a "deinstall" as a matter of updating a port ... Prior to updating, running 'pkgdb -Ffuv' is usually a safe concept. ... A prisoner of war is a man who tries to kill you and fails, ...
    (freebsd-questions)