backdoor in freebsd found..

[Renee Teunissen <renee () wittenburg10c nl>]

Hi,

A few days ago I checked a clients machine for problems, sinds two
userid's where added. After some seaching, a run of nmap
I found TCP port 54 to be open and with lsof if found a small
backdoor installed as /usr/bin/getty.

So far as I can see it's just a simple backdoor, only connecting to it
with netcat didnt give me what I tought I should get.
Anyone any idears?  
I've put the "getty" on one of my boss' machines,
it can be found on http://sms.pts.nl/renee/getty.gz (4KB).

Strings gives me something that could be a userid or something
like this. Anyone seen thisone before? And I think they got in
using a faulty telnetd.

Cheers,
Renee.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com