I'm thinking that somehow I've been broken into.I've got a pretty good Unix admin (not Debian) here helping to take a look at it, but so far she's not been able to learn anything definitive. One thing she thought odd was the existence of the directory /usr/lib/telnetd. And here's what one of the security gurus on one of her security mailing lists had to say about it:
There should not be a /usr/lib/telnetd. You have been hacked. This is NOT normal behavior. exacutables should never be stored in /usr/lib thats for libraries. There should also NOT be a telnetd user in our password file. ftp maybe NOT telnetd. /etc/services is just for mapping ports to services. You could delete it and everything in inetd.conf would still work. You just wouldnt get a nice port to name mapping from netstat;-)
On another Debian box (Sid) (as well as on the suspected box), I've got telnetd as a user in my /etc/passwd file, and it's a member of the utmp group.
So my questions:1) is it normal for a Debian box to have telnetd as a user, as a member of utmp, and to have the /usr/lib/telnetd directory?
2) if so, why does this seem to disagree with the commercial unix folks? Is Debian doing things in a better way, or a worse way?
Thanks for any input! Kent