Bug 9874 - major telnet security hole...
Summary: major telnet security hole...
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: telnet
Version: 6.1
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Florian La Roche
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-03-01 00:13 UTC by mat
Modified: 2008-05-01 15:37 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2000-03-01 12:20:34 UTC

Attachments (Terms of Use)

Description mat 2000-03-01 00:13:25 UTC
I noticed the following this afternoon on my RH 6.1 server.

Feb 29 17:03:40 ns1 PAM_pwdb[11330]: (su) session opened for user s by doot

This user had telneted in (no posibility of knowing password)
and managed to get root access. They had replaced /usr/sbin/inetd
with a version listening on tcp/5002 + versions of ls,du and find
to hide various scripts in /tmp. (Also started packet sniffer on eth0)

The files are now repared however I am concerned at their ease of
access. There was only a window of 10-15 Minutes in which packet
filters were out of place.

User showed up as: doot when doing a 'w'.

There was definatly a tcp connection to port 23 (checked with netstat).

Is there any info on this sort of attack??

Comment 1 mat 2000-03-01 12:20:59 UTC
More info.

The following showed up in /var/log/secure.

Feb 29 17:03:31 ns1 in.telnetd[11317]: connect from
Feb 29 17:03:36 ns1 login: LOGIN ON 0 BY doot FROM cc678364-b.warn1.mi.home.com

I should also have said that none of these user accounts actually exist
(doot, s etc.) and that nothing maps to uid 900.

Comment 2 Pekka Savola 2000-07-16 20:27:32 UTC
There are no known vulnerabilities in recent versions of telnet.

Very probably some other component (for example, non-updated nameserver) has
caused the security compromise.  Telnet is just a way to access the system.

Note You need to log in before you can comment on or make changes to this bug.