Bug#251037: Strange xdmcp behavior, maybe a trojan horse?
I was unable to connect to a remote xdm, but only when it is outside a
broadcast domain. X crashes with a message:
Fatal server error:
XDMCP fatal error: Session failed Session XXXXXXXX failed for display
194-237-107-43.customer.telia.com:9: cannot open display.
I have nothing in common with this IP, so after further quick tcpdump,
I've discovered, that the negotiation is as follow:
MY.IP.MY.IP RE.MO.TE.IP XDMCP Query
RE.MO.TE.IP MY.IP.MY.IP XDMCP Willing
and here comes suspected packet:
MY.IP.MY.IP RE.MO.TE.IP XDMCP Request
with a connection field set to:
Opcode: Request (0x0007)
Message length: 121
Display number: 9
Connection 1: 184.108.40.206
Connection 2: 220.127.116.11
Connection 3: 18.104.22.168
then a normal XDMCP Accept UDP packet.
The other side, of course, tries to connect to 22.214.171.124:6009/TCP,
and it, of course, fails.
Those six addresses are always the same, no matter which non-local
server I try to connect to.
I'm 99% sure this machine is not compromised, md5sum of /usr/bin/X11/X
is the same on every testing I'm able to check, and it's:
I have a laptop with 4.3.0-7 version of xserver-common and it behaves as