Red Hat Bugzilla – Bug 2339
Modified telnetd breaks utmp/wtmp
Last modified: 2008-05-01 11:37:49 EDT
On two seperate i386 installations, the following problem
The telnetd no longer correctly clears out utmp entries when
they are no longer active. This is detectable by who, which
lists current connections. Starting a telnet session and
then quitting a telnet session on the machine leaves a
residual utmp entry behind. Rebooting only clears the
entries, it does not eliminate the problem. Console logins
are unaffected, and are cleaned out normally. Likewise,
xterm connections also work normally.
A rpm verify on the telnetd produces the following
modifications: S.5....T. The telnetd on a working machine
produces no verify modifications. Reinstalling the telnet
package fixes the problem.
Both breakages may coorespond to a port scanning attempt,
possibly on the identd port. I cannot confirm this however,
as I do not have very clear time frames in which the problem
may have begun. Further, the only listening services open on
either box are as follows: inetd(telnet, rsh, rlogin, imapd
are all tcp_wrapped and restricted to the local domain; ftp
and identd are 'free'), httpd, smbd and nmbd, rwhod, and
portmap. Both machines are patched up to 4/20/99 releases,
and were both currently patched within two days of the start
of the problem. The only log entries that coorespond to the
possible time that the problem began show a possible identd
port scanning attempt on the network. However, rpm verifies
on login and getty packages do not seem to indicate any
There are two problems here.
1) telnet not correctly handling utmp entries (fixed in #56).
2) the "modified telnet" problem appears to indicate that your
installed telnetd is not that which comes with Red Hat.