> Date: Mon, 14 Jan 2002 14:49:36 -0600 > From: Kent West <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: debian-user@lists.debian.org > Subject: Break-in? /usr/lib/telnetd, port 1037 > Resent-Date: Mon, 14 Jan 2002 15:53:52 -0500 (EST) > Resent-From: debian-user@lists.debian.org > > I've got a Debian box (2.2.17, mostly woody) that I've just discovered > has a more-or-less hidden telnetd running on port 1037 as well as the > normal telnetd on port 23. I thought I had uninstalled telnetd (although > it's possible I forgot to remove it). > > I'm thinking that somehow I've been broken into. > > I've got a pretty good Unix admin (not Debian) here helping to take a > look at it, but so far she's not been able to learn anything definitive. > One thing she thought odd was the existence of the directory > /usr/lib/telnetd. And here's what one of the security gurus on one of > her security mailing lists had to say about it: > > > > > There should not be a /usr/lib/telnetd.
As you mentionned this is only a directory and not the actual binary of telnetd. This directory contains the login program that telnet uses to authenticate users. > > You have been hacked. > > This is NOT normal behavior. > > exacutables should never be stored in /usr/lib > > thats for libraries. > > There should also NOT be a telnetd user in our password file. > > ftp maybe NOT telnetd. > > /etc/services is just for mapping ports to services. > > You could delete it and everything in inetd.conf would still work. > > You just wouldnt get a nice port to name mapping from netstat;-) > > 1) is it normal for a Debian box to have telnetd as a user, as a member > of utmp, and to have the /usr/lib/telnetd directory? > I don't believe that's a problem. As soon as you install the telnetd package you have a telnetd user in /etc/passwd. It should however not have any passwd in /etc/shadow . . . But it's abnormal to have a hidden telnet server on port 1037. You should look into that. Robert Walker.