Bug 9874

Summary: major telnet security hole...
Product: [Retired] Red Hat Linux Reporter: mat
Component: telnetAssignee: Florian La Roche <laroche>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.1CC: esprikkelman, mat
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-03-01 12:20:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description mat 2000-03-01 00:13:25 UTC 
I noticed the following this afternoon on my RH 6.1 server.

Feb 29 17:03:40 ns1 PAM_pwdb[11330]: (su) session opened for user s by doot
(uid=900)

This user had telneted in (no posibility of knowing password)
and managed to get root access. They had replaced /usr/sbin/inetd
with a version listening on tcp/5002 + versions of ls,du and find
to hide various scripts in /tmp. (Also started packet sniffer on eth0)

The files are now repared however I am concerned at their ease of
access. There was only a window of 10-15 Minutes in which packet
filters were out of place.

User showed up as: doot when doing a 'w'.

There was definatly a tcp connection to port 23 (checked with netstat).

Is there any info on this sort of attack??
Comment 1 mat 2000-03-01 12:20:59 UTC 
More info.

The following showed up in /var/log/secure.

Feb 29 17:03:31 ns1 in.telnetd[11317]: connect from 24.11.116.136
Feb 29 17:03:36 ns1 login: LOGIN ON 0 BY doot FROM cc678364-b.warn1.mi.home.com

I should also have said that none of these user accounts actually exist
(doot, s etc.) and that nothing maps to uid 900.
Comment 2 Pekka Savola 2000-07-16 20:27:32 UTC 
There are no known vulnerabilities in recent versions of telnet.

Very probably some other component (for example, non-updated nameserver) has
caused the security compromise.  Telnet is just a way to access the system.