OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter C. Lai (sirmoocowbert.2y.net)
Date: Mon Mar 05 2001 - 15:45:44 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    most probably a luser on the system is running ircd which doesn't need
    elevated privs because it is binding above port 1024, and they are also
    trying to do some "l33t hax0ring" of winboxen using Netbus's admin tool.
    ----- Original Message -----
    From: "David G. Andersen" <dgapobox.com>
    To: "Alfred Perlstein" <brightwintelcom.net>
    Cc: "Evren Yurtesen" <yurtesenispro.net.tr>; "Dag-Erling Smorgrav"
    <desofug.org>; "dce" <dcesquish.org>; <securityFreeBSD.ORG>
    Sent: Monday, March 05, 2001 3:12 PM
    Subject: Re: 31337

    > That's not correct. Nmap has the "Elite" service name built in to
    > its nmap-services file. Mostly because of the obvious 5kr1p7 k11d13
    > name mapping. His /etc/services is probably just fine.
    >
    > -Dave
    >
    > Lo and behold, Alfred Perlstein once said:
    > >
    > > * Evren Yurtesen <yurtesenispro.net.tr> [010305 11:30] wrote:
    > > > cant it be a person who has a shell and execute some daemons etc ?
    like
    > > > ircd?
    > > >
    > > > why does he need to reinstall his system?
    > >
    > > Because if the box is reporting port 31337 as the 'elite' service
    > > it means someone most likely has modified /etc/services which
    > > indicates that they have attained elevated privs somehow.
    > >
    > >
    > > >
    > > > Evren
    > > >
    > > > > dce <dcesquish.org> writes:
    > > > > > I have noticed the following ports open on my FreeBSD 4.2-STABLE
    machine
    > > > > >
    > > > > > 31337/tcp open Elite
    > > > > > 6667/tcp open irc
    > > > >
    > > > > You're owned. Take your box off the net, take a backup, reinstall
    from
    > > > > trusted media (preferably original CD-ROMs from BSDI), transfer data
    > > > > (*no* executables, scripts or configuration files!) from backup. And
    > > > > get some security clue; the security(7) man page is a good place to
    > > > > start, though far from complete.
    > > > >
    > > > > DES
    > > > > --
    > > > > Dag-Erling Smorgrav - desofug.org
    > > > >
    > > > > To Unsubscribe: send mail to majordomoFreeBSD.org
    > > > > with "unsubscribe freebsd-security" in the body of the message
    > > > >
    > > >
    > > >
    > > > To Unsubscribe: send mail to majordomoFreeBSD.org
    > > > with "unsubscribe freebsd-security" in the body of the message
    > >
    > > --
    > > -Alfred Perlstein - [brightwintelcom.net|alfredfreebsd.org]
    > >
    > > To Unsubscribe: send mail to majordomoFreeBSD.org
    > > with "unsubscribe freebsd-security" in the body of the message
    > >
    >
    >
    > --
    > work: dgalcs.mit.edu me: dgapobox.com
    > MIT Laboratory for Computer Science http://www.angio.net/
    >
    > To Unsubscribe: send mail to majordomoFreeBSD.org
    > with "unsubscribe freebsd-security" in the body of the message
    >

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message