Re: Break-in? /usr/lib/telnetd, port 1037

[Dimitri Maziuk <dmaziuk@yola.bmrb.wisc.edu>]

* Kent West (westk@nicanor.acu.edu) spake thusly:
> Noah Meyerhans wrote:
...
> >Having telnetd listening on port 1037, if in fact it is, is probably not
> >a good thing.  Have you actually tried telnetting to that port ('telnet
> >localhost 1037')?
> 
> Yes, and I'm able to login via that port.
> 
> >Does 'netstat -tlnp' indicate that the process using
> >that port is actually in "LISTEN" state?
> 
> chanslor[westk]:/home/westk> sudo netstat -tlnp
> Password:
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address 
> State       PID/Program name
...
> tcp        0      0 0.0.0.0:1037            0.0.0.0:* 
> LISTEN      456/inetd

What's in /etc/services for port 1037? Who else has r00t on the
box and are you sure they didn't do that?

Anyway, if you believe you've been hacked,

1. If it's not a mission-critical box and you're interested in doing
   a post-mortem: sync the filesystems and pull the power cord. Take
   out the disk, mount it [noexec] on a known good box, then see
   what's in there.
   
2. If it's a mission-critical box: fdisk, mkfs, reinstall. This is
   faster than trying to fix things.

EXPN: it is possible to insert a module into the running kernel which
will modify /proc et al. so that ps, netstat, ls etc. will not show
certain processes/files/connections. IOW you cannot trust *any* program
on a hacked box, that's why you need a known good box to do postmortem
on. It is also possible to intercept shutdown and wipe out all traces
of intrusion / your whole HD. Hence the advice to pull the power cord.

Dima
-- 
Well, lusers are technically human.                            -- Red Drag Diva