I noticed the following this afternoon on my RH 6.1 server. Feb 29 17:03:40 ns1 PAM_pwdb[11330]: (su) session opened for user s by doot (uid=900) This user had telneted in (no posibility of knowing password) and managed to get root access. They had replaced /usr/sbin/inetd with a version listening on tcp/5002 + versions of ls,du and find to hide various scripts in /tmp. (Also started packet sniffer on eth0) The files are now repared however I am concerned at their ease of access. There was only a window of 10-15 Minutes in which packet filters were out of place. User showed up as: doot when doing a 'w'. There was definatly a tcp connection to port 23 (checked with netstat). Is there any info on this sort of attack??
More info. The following showed up in /var/log/secure. Feb 29 17:03:31 ns1 in.telnetd[11317]: connect from 24.11.116.136 Feb 29 17:03:36 ns1 login: LOGIN ON 0 BY doot FROM cc678364-b.warn1.mi.home.com I should also have said that none of these user accounts actually exist (doot, s etc.) and that nothing maps to uid 900.
There are no known vulnerabilities in recent versions of telnet. Very probably some other component (for example, non-updated nameserver) has caused the security compromise. Telnet is just a way to access the system.