I noticed the following this afternoon on my RH 6.1 server.
Feb 29 17:03:40 ns1 PAM_pwdb: (su) session opened for user s by doot
This user had telneted in (no posibility of knowing password)
and managed to get root access. They had replaced /usr/sbin/inetd
with a version listening on tcp/5002 + versions of ls,du and find
to hide various scripts in /tmp. (Also started packet sniffer on eth0)
The files are now repared however I am concerned at their ease of
access. There was only a window of 10-15 Minutes in which packet
filters were out of place.
User showed up as: doot when doing a 'w'.
There was definatly a tcp connection to port 23 (checked with netstat).
Is there any info on this sort of attack??
The following showed up in /var/log/secure.
Feb 29 17:03:31 ns1 in.telnetd: connect from 18.104.22.168
Feb 29 17:03:36 ns1 login: LOGIN ON 0 BY doot FROM cc678364-b.warn1.mi.home.com
I should also have said that none of these user accounts actually exist
(doot, s etc.) and that nothing maps to uid 900.
There are no known vulnerabilities in recent versions of telnet.
Very probably some other component (for example, non-updated nameserver) has
caused the security compromise. Telnet is just a way to access the system.