Bug 66830

Summary: Hackers through telnet
Product: [Retired] Red Hat Linux Reporter: Need Real Name <peterloo>
Component: telnetAssignee: Harald Hoyer <harald>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: high Docs Contact:
Priority: high    
Version: 7.2CC: peterloo
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-08-05 08:22:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Need Real Name 2002-06-17 15:17:09 UTC 
Description of Problem:

Dear Sirs/Madams,

Over the weekend, my RedHat Linux 7.1 server was broken into by a hacker who 
created a directory called /home/china and the following files and sub 
directory within it.  He or she has changed my root password and I am unable to 
do any administration at this time.  /etc/services file has been altered to 
allow entry from all ports.  This happened shortly (three weeks) after opening 
my telnet port.  This also happened once before on my 6.2 version.  Is there a 
bug that we are unaware of?  I was fine when I had telnet and ftp ports closed 
while using ssh2.

/home/china::> ls -l
total 844
-rw-r--r--    1 root     users        6372 May  9  1995 cgitelnet.tar.gz
drwxr-xr-x    2 root     users        4096 Jul  1  1995 dev
-rwxr-xr-x    1 root     users       22460 Aug 22  2000 du
-rwxr-xr-x    1 root     users       57452 Aug 22  2000 find
-rwxr-xr-x    1 root     users          19 Apr 15  2001 hack
-rwxr-xr-x    1 root     users       32728 Aug 22  2000 ifconfig
-rwxr-xr-x    1 root     users        6408 Aug 22  2000 in.fingerd
-rwx------    1 root     users        7165 Aug  6  1998 linsniffer
-rwxr-xr-x    1 root     users        3964 Aug 22  2000 login
-rwxr-xr-x    1 root     users       39484 Aug 22  2000 ls
-rwxr-xr-x    1 root     users       53364 Aug 22  2000 netstat
-rwx------    1 root     users        2796 May 16  2001 patch
-rwxr-xr-x    1 root     users        4568 Sep 13  2000 pg
-rwxr-xr-x    1 root     users       31336 Apr 13  2001 ps
-rwxr-xr-x    1 root     users       13184 Aug 22  2000 pstree
-rwxr-xr-x    1 root     users        4060 Mar  5  1999 sense
-rwx------    1 root     users        8268 Oct 16  1999 sl3
-rw-r--r--    1 root     users      100424 Aug 23  2000 ssh.tgz
-rwxr-xr-x    1 root     users        1382 Jul 24  2000 sz
-rwxr-xr-x    1 root     users           0 May 22 05:05 t0rn
-rwxr-xr-x    1 root     users        1345 Sep  9  1999 t0rnsb
-rwxr-xr-x    1 root     bin             0 Jul  1  1995 t0rn~
-rwxr-xr-x    1 root     users      266140 Jul 17  2000 top
-rwxr-xr-x    1 root     users      124076 May 22  1995 wget
-rwxr-xr-x    1 root     users        7578 Aug 21  2000 zum

/home/china::> cat hack
./t0rn nervos 5713

Version-Release number of selected component (if applicable):


How Reproducible:


Steps to Reproduce:
1. 
2. 
3. 

Actual Results:


Expected Results:


Additional Information:
Comment 1 Harald Hoyer 2002-06-18 08:52:10 UTC 
cgitelnet.tar.gz looks like a web based telnet... How do you know that the
hacker broke in due to a buggy telnet?