Dear All,
A friend of mine asked me to help him with a very strange case:
suddenly his telnet application started to show passwords of
users who used "telnet" to access other computers from his
server. To do that, one needs to just press "enter" without
entering username/password. E.g.:
Red Hat Linux release 7.1 (Seawolf)
Kernel 2.4.2-2 on an i586
login:
Login incorrect
login: [@10.X.X.X (telnet)
] -> [*USER*@10.X.X.X *PASSWORD*
(telnet)
]
[.. other usernames/password follow..]
rpm -Va does not give any suspicious MD5 errors. When I
rename "telnet" to something else, this behavior stops and it
works like expected.
Another interesting point is that I cannot strace telnet anymore:
$]strace -f telnet X.X.X.X
execve("/usr/bin/telnet", ["telnet", "10.10.10.3"], [/* 24 vars
*/]) = 0
_sysctl({{CTL_KERN, KERN_OSRELEASE}, 2, "2.2.16-22", 9, NULL, 0})
= 0
brk(0) = 0x8069208
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
open("/etc/ld.so.preload", O_RDONLY) = 3
[.. everything follows as usual ..]
ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0
open("/etc/nsswitch.conf", O_RDONLY) = 3
Trying 10.10.10.3...
Connected to 10.10.10.3.
Escape character is '^]'.
Red Hat Linux release 7.1 (Seawolf)
Kernel 2.4.2-2 on an i586
login:
I.e., strace does not give any output after
'open("/etc/nsswitch.conf", O_RDONLY) = 3' ! If I try to use
ltrace, the application blocks completely.
chkrootkit does not give any alarms. The server is running RedHat
7.0.
Any ideas?
--
Best Regards
Vladimir Ivaschenko
Certified Linux Engineer (RHCE)
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 18 2002 - 23:54:14 PST