Security Incidents mailing list archives

strange telnet behavior

From: Vladimir Ivaschenko <hazard () francoudi com>
Date: Mon, 18 Feb 2002 16:13:08 +0200

Dear All,

A friend of mine asked me to help him with a very strange case:  
suddenly his telnet application started to show passwords of
users who used "telnet" to access other computers from his
server. To do that, one needs to just press "enter" without
entering username/password. E.g.:

Red Hat Linux release 7.1 (Seawolf)
Kernel 2.4.2-2 on an i586
login:
Login incorrect

login: [@10.X.X.X  (telnet)
                             ] -> [*USER*@10.X.X.X *PASSWORD* 
(telnet)
                                                                        
]
[.. other usernames/password follow..]

rpm -Va does not give any suspicious MD5 errors. When I
rename "telnet" to something else, this behavior stops and it
works like expected.

Another interesting point is that I cannot strace telnet anymore:

$]strace -f telnet X.X.X.X
execve("/usr/bin/telnet", ["telnet", "10.10.10.3"], [/* 24 vars 
*/]) = 0
_sysctl({{CTL_KERN, KERN_OSRELEASE}, 2, "2.2.16-22", 9, NULL, 0}) 
= 0
brk(0)                                  = 0x8069208
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, 
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
open("/etc/ld.so.preload", O_RDONLY)    = 3
[.. everything follows as usual ..]
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
open("/etc/nsswitch.conf", O_RDONLY)    = 3
Trying 10.10.10.3...
Connected to 10.10.10.3.
Escape character is '^]'.

Red Hat Linux release 7.1 (Seawolf)
Kernel 2.4.2-2 on an i586
login:

I.e., strace does not give any output after 
'open("/etc/nsswitch.conf", O_RDONLY)    = 3' ! If I try to use 
ltrace, the application blocks completely.

chkrootkit does not give any alarms. The server is running RedHat 
7.0.

Any ideas?

-- 
Best Regards
Vladimir Ivaschenko
Certified Linux Engineer (RHCE)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

strange telnet behavior Vladimir Ivaschenko (Feb 18)
- Re: strange telnet behavior Pavel Kankovsky (Feb 20)
  - Re: strange telnet behavior Vladimir Ivaschenko (Feb 20)
- Re: strange telnet behavior Bryan Andersen (Feb 20)
  - Re: strange telnet behavior Gideon Lenkey (Feb 22)
    - Re: strange telnet behavior Paul Gear (Feb 24)
- Re: strange telnet behavior tfm (Feb 20)
  - Solaris hack Jamie Lawrence (Feb 22)
    - RE: Solaris hack Glenn Pitcher (Feb 24)
    - strange udp packets Jason Robertson (Feb 24)
    - Re: Solaris hack Matt K. (Feb 24)

(Thread continues...)