66830 – Hackers through telnet

Bug 66830 - Hackers through telnet

Summary: Hackers through telnet

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	telnet
Sub Component:
Version:	7.2
Hardware:	i686
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Harald Hoyer
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2002-06-17 15:17 UTC by Need Real Name
Modified:	2005-10-31 22:00 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2003-08-05 08:22:50 UTC
Embargoed:

Attachments	(Terms of Use)

Description Need Real Name 2002-06-17 15:17:09 UTC

Description of Problem:

Dear Sirs/Madams,

Over the weekend, my RedHat Linux 7.1 server was broken into by a hacker who 
created a directory called /home/china and the following files and sub 
directory within it.  He or she has changed my root password and I am unable to 
do any administration at this time.  /etc/services file has been altered to 
allow entry from all ports.  This happened shortly (three weeks) after opening 
my telnet port.  This also happened once before on my 6.2 version.  Is there a 
bug that we are unaware of?  I was fine when I had telnet and ftp ports closed 
while using ssh2.

/home/china::> ls -l
total 844
-rw-r--r--    1 root     users        6372 May  9  1995 cgitelnet.tar.gz
drwxr-xr-x    2 root     users        4096 Jul  1  1995 dev
-rwxr-xr-x    1 root     users       22460 Aug 22  2000 du
-rwxr-xr-x    1 root     users       57452 Aug 22  2000 find
-rwxr-xr-x    1 root     users          19 Apr 15  2001 hack
-rwxr-xr-x    1 root     users       32728 Aug 22  2000 ifconfig
-rwxr-xr-x    1 root     users        6408 Aug 22  2000 in.fingerd
-rwx------    1 root     users        7165 Aug  6  1998 linsniffer
-rwxr-xr-x    1 root     users        3964 Aug 22  2000 login
-rwxr-xr-x    1 root     users       39484 Aug 22  2000 ls
-rwxr-xr-x    1 root     users       53364 Aug 22  2000 netstat
-rwx------    1 root     users        2796 May 16  2001 patch
-rwxr-xr-x    1 root     users        4568 Sep 13  2000 pg
-rwxr-xr-x    1 root     users       31336 Apr 13  2001 ps
-rwxr-xr-x    1 root     users       13184 Aug 22  2000 pstree
-rwxr-xr-x    1 root     users        4060 Mar  5  1999 sense
-rwx------    1 root     users        8268 Oct 16  1999 sl3
-rw-r--r--    1 root     users      100424 Aug 23  2000 ssh.tgz
-rwxr-xr-x    1 root     users        1382 Jul 24  2000 sz
-rwxr-xr-x    1 root     users           0 May 22 05:05 t0rn
-rwxr-xr-x    1 root     users        1345 Sep  9  1999 t0rnsb
-rwxr-xr-x    1 root     bin             0 Jul  1  1995 t0rn~
-rwxr-xr-x    1 root     users      266140 Jul 17  2000 top
-rwxr-xr-x    1 root     users      124076 May 22  1995 wget
-rwxr-xr-x    1 root     users        7578 Aug 21  2000 zum

/home/china::> cat hack
./t0rn nervos 5713

Version-Release number of selected component (if applicable):


How Reproducible:


Steps to Reproduce:
1. 
2. 
3. 

Actual Results:


Expected Results:


Additional Information:

Comment 1 Harald Hoyer 2002-06-18 08:52:10 UTC

cgitelnet.tar.gz looks like a web based telnet... How do you know that the
hacker broke in due to a buggy telnet?

Note You need to log in before you can comment on or make changes to this bug.