Re: Break-in? /usr/lib/telnetd, port 1037
> Date: Mon, 14 Jan 2002 14:49:36 -0600
> From: Kent West <westk@nicanor.acu.edu>
> Reply-To: kent.west@infotech.acu.edu
> To: debian-user@lists.debian.org
> Subject: Break-in? /usr/lib/telnetd, port 1037
> Resent-Date: Mon, 14 Jan 2002 15:53:52 -0500 (EST)
> Resent-From: debian-user@lists.debian.org
>
> I've got a Debian box (2.2.17, mostly woody) that I've just discovered
> has a more-or-less hidden telnetd running on port 1037 as well as the
> normal telnetd on port 23. I thought I had uninstalled telnetd (although
> it's possible I forgot to remove it).
>
> I'm thinking that somehow I've been broken into.
>
> I've got a pretty good Unix admin (not Debian) here helping to take a
> look at it, but so far she's not been able to learn anything definitive.
> One thing she thought odd was the existence of the directory
> /usr/lib/telnetd. And here's what one of the security gurus on one of
> her security mailing lists had to say about it:
>
> >
> > There should not be a /usr/lib/telnetd.
As you mentionned this is only a directory and not the actual binary of
telnetd. This directory contains the login program that telnet uses to
authenticate users.
> > You have been hacked.
> > This is NOT normal behavior.
> > exacutables should never be stored in /usr/lib
> > thats for libraries.
> > There should also NOT be a telnetd user in our password file.
> > ftp maybe NOT telnetd.
> > /etc/services is just for mapping ports to services.
> > You could delete it and everything in inetd.conf would still work.
> > You just wouldnt get a nice port to name mapping from netstat;-)
>
> 1) is it normal for a Debian box to have telnetd as a user, as a member
> of utmp, and to have the /usr/lib/telnetd directory?
>
I don't believe that's a problem. As soon as you install the telnetd
package you have a telnetd user in /etc/passwd. It should however not have
any passwd in /etc/shadow . . .
But it's abnormal to have a hidden telnet server on port 1037. You should
look into that.
Robert Walker.
Reply to: