Re: Break-in? /usr/lib/telnetd, port 1037
On Mon, Jan 14, 2002 at 02:49:36PM -0600, Kent West wrote:
> I've got a Debian box (2.2.17, mostly woody) that I've just discovered
> has a more-or-less hidden telnetd running on port 1037 as well as the
> normal telnetd on port 23. I thought I had uninstalled telnetd (although
> it's possible I forgot to remove it).
>
> I'm thinking that somehow I've been broken into.
>
> I've got a pretty good Unix admin (not Debian) here helping to take a
> look at it, but so far she's not been able to learn anything definitive.
> One thing she thought odd was the existence of the directory
> /usr/lib/telnetd. And here's what one of the security gurus on one of
> her security mailing lists had to say about it:
>
> >
> >There should not be a /usr/lib/telnetd.
> >You have been hacked.
> >This is NOT normal behavior.
> >exacutables should never be stored in /usr/lib
> >thats for libraries.
> >There should also NOT be a telnetd user in our password file.
> >ftp maybe NOT telnetd.
> >/etc/services is just for mapping ports to services.
> >You could delete it and everything in inetd.conf would still work.
> >You just wouldnt get a nice port to name mapping from netstat;-)
/usr/lib/telnetd is where the wrapper is. That is supposed to be there.
The wrapper is to help prevent certain kinds of attacks.
Don't look at telnetd too closely. Most likely it is just a backdoor,
and the real security hole (that they exploited) is somewhere else.
Ben
--
.----------=======-=-======-=========-----------=====------------=-=-----.
/ Ben Collins -- Debian GNU/Linux \
` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com '
`---=========------=======-------------=-=-----=-===-======-------=--=---'
Reply to: