Bug 2339

Summary: Modified telnetd breaks utmp/wtmp
Product: [Retired] Red Hat Linux Reporter: summers
Component: telnetAssignee: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.2Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 1999-04-23 15:13:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description summers 1999-04-23 14:21:28 UTC
On two seperate i386 installations, the following problem
has occured:

The telnetd no longer correctly clears out utmp entries when
they are no longer active. This is detectable by who, which
lists current connections. Starting a telnet session and
then quitting a telnet session on the machine leaves a
residual utmp entry behind. Rebooting only clears the
entries, it does not eliminate the problem. Console logins
are unaffected, and are cleaned out normally. Likewise,
xterm connections also work normally.

A rpm verify on the telnetd produces the following
modifications: S.5....T. The telnetd on a working machine
produces no verify modifications. Reinstalling the telnet
package fixes the problem.

Both breakages may coorespond to a port scanning attempt,
possibly on the identd port. I cannot confirm this however,
as I do not have very clear time frames in which the problem
may have begun. Further, the only listening services open on
either box are as follows: inetd(telnet, rsh, rlogin, imapd
are all tcp_wrapped and restricted to the local domain; ftp
and identd are 'free'), httpd, smbd and nmbd, rwhod, and
portmap. Both machines are patched up to 4/20/99 releases,
and were both currently patched within two days of the start
of the problem. The only log entries that coorespond to the
possible time that the problem began show a possible identd
port scanning attempt on the network. However, rpm verifies
on login and getty packages do not seem to indicate any
modified daemons.

Thanks much,

Dan S.

Comment 1 Jeff Johnson 1999-04-23 15:13:59 UTC
There are two problems here.

1) telnet not correctly handling utmp entries (fixed in #56).

2) the "modified telnet" problem appears to indicate that your
installed telnetd is not that which comes with Red Hat.