Security Incidents mailing list archives
strange telnet behavior
From: Vladimir Ivaschenko <hazard () francoudi com>
Date: Mon, 18 Feb 2002 16:13:08 +0200
Dear All, A friend of mine asked me to help him with a very strange case: suddenly his telnet application started to show passwords of users who used "telnet" to access other computers from his server. To do that, one needs to just press "enter" without entering username/password. E.g.: Red Hat Linux release 7.1 (Seawolf) Kernel 2.4.2-2 on an i586 login: Login incorrect login: [@10.X.X.X (telnet) ] -> [*USER*@10.X.X.X *PASSWORD* (telnet) ] [.. other usernames/password follow..] rpm -Va does not give any suspicious MD5 errors. When I rename "telnet" to something else, this behavior stops and it works like expected. Another interesting point is that I cannot strace telnet anymore: $]strace -f telnet X.X.X.X execve("/usr/bin/telnet", ["telnet", "10.10.10.3"], [/* 24 vars */]) = 0 _sysctl({{CTL_KERN, KERN_OSRELEASE}, 2, "2.2.16-22", 9, NULL, 0}) = 0 brk(0) = 0x8069208 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000 open("/etc/ld.so.preload", O_RDONLY) = 3 [.. everything follows as usual ..] ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/etc/nsswitch.conf", O_RDONLY) = 3 Trying 10.10.10.3... Connected to 10.10.10.3. Escape character is '^]'. Red Hat Linux release 7.1 (Seawolf) Kernel 2.4.2-2 on an i586 login: I.e., strace does not give any output after 'open("/etc/nsswitch.conf", O_RDONLY) = 3' ! If I try to use ltrace, the application blocks completely. chkrootkit does not give any alarms. The server is running RedHat 7.0. Any ideas? -- Best Regards Vladimir Ivaschenko Certified Linux Engineer (RHCE) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- strange telnet behavior Vladimir Ivaschenko (Feb 18)
- Re: strange telnet behavior Pavel Kankovsky (Feb 20)
- Re: strange telnet behavior Vladimir Ivaschenko (Feb 20)
- Re: strange telnet behavior Bryan Andersen (Feb 20)
- Re: strange telnet behavior Gideon Lenkey (Feb 22)
- Re: strange telnet behavior Paul Gear (Feb 24)
- Re: strange telnet behavior Gideon Lenkey (Feb 22)
- Re: strange telnet behavior tfm (Feb 20)
- Solaris hack Jamie Lawrence (Feb 22)
- RE: Solaris hack Glenn Pitcher (Feb 24)
- strange udp packets Jason Robertson (Feb 24)
- Re: Solaris hack Matt K. (Feb 24)
- Solaris hack Jamie Lawrence (Feb 22)
(Thread continues...)
- Re: strange telnet behavior Pavel Kankovsky (Feb 20)