On Mon, Jan 14, 2002 at 02:49:36PM -0600, Kent West wrote:
> I've got a Debian box (2.2.17, mostly woody) that I've just discovered
> has a more-or-less hidden telnetd running on port 1037 as well as the
> normal telnetd on port 23. I thought I had uninstalled telnetd (although
> it's possible I forgot to remove it).
Having telnetd listening on port 1037 is definitely not normal. telnet
listens for unencrypted connection on port 23 (as you mentioned) and can
listen on port 992 if you're running a secure SSL enabled version. But
not 1037.
>
> I'm thinking that somehow I've been broken into.
Quite possibly.
> One thing she thought odd was the existence of the directory
> /usr/lib/telnetd. And here's what one of the security gurus on one of
> her security mailing lists had to say about it:
That is actually not unusual in Debian. The SSL enabled secure
telnetd-ssl package installs files into that directory.
> 1) is it normal for a Debian box to have telnetd as a user, as a member
> of utmp, and to have the /usr/lib/telnetd directory?
Yes.
> 2) if so, why does this seem to disagree with the commercial unix folks?
> Is Debian doing things in a better way, or a worse way?
Debian is doing things according to the File Hierarchy Standard. It is
not necessarily a "better" way, but it is a standard way that is
consistant across all FHS-supporting Linux distributions. It's done to
try to decrease the confusion of having files in completely different
places in different distributions.
Having telnetd listening on port 1037, if in fact it is, is probably not
a good thing. Have you actually tried telnetting to that port ('telnet
localhost 1037')? Does 'netstat -tlnp' indicate that the process using
that port is actually in "LISTEN" state?
noah
--
_______________________________________________________
| Web: http://web.morgul.net/~frodo/
| PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpfIFZXArhCq.pgp
Description: PGP signature