Bug 9874 - major telnet security hole...
major telnet security hole...
Product: Red Hat Linux
Classification: Retired
Component: telnet (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Florian La Roche
: Security
Depends On:
  Show dependency treegraph
Reported: 2000-02-29 19:13 EST by mat
Modified: 2008-05-01 11:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-03-01 07:20:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description mat 2000-02-29 19:13:25 EST
I noticed the following this afternoon on my RH 6.1 server.

Feb 29 17:03:40 ns1 PAM_pwdb[11330]: (su) session opened for user s by doot

This user had telneted in (no posibility of knowing password)
and managed to get root access. They had replaced /usr/sbin/inetd
with a version listening on tcp/5002 + versions of ls,du and find
to hide various scripts in /tmp. (Also started packet sniffer on eth0)

The files are now repared however I am concerned at their ease of
access. There was only a window of 10-15 Minutes in which packet
filters were out of place.

User showed up as: doot when doing a 'w'.

There was definatly a tcp connection to port 23 (checked with netstat).

Is there any info on this sort of attack??
Comment 1 mat 2000-03-01 07:20:59 EST
More info.

The following showed up in /var/log/secure.

Feb 29 17:03:31 ns1 in.telnetd[11317]: connect from
Feb 29 17:03:36 ns1 login: LOGIN ON 0 BY doot FROM cc678364-b.warn1.mi.home.com

I should also have said that none of these user accounts actually exist
(doot, s etc.) and that nothing maps to uid 900.
Comment 2 Pekka Savola 2000-07-16 16:27:32 EDT
There are no known vulnerabilities in recent versions of telnet.

Very probably some other component (for example, non-updated nameserver) has
caused the security compromise.  Telnet is just a way to access the system.

Note You need to log in before you can comment on or make changes to this bug.