Dear All, A friend of mine asked me to help him with a very strange case: suddenly his telnet application started to show passwords of users who used "telnet" to access other computers from his server. To do that, one needs to just press "enter" without entering username/password. E.g.: Red Hat Linux release 7.1 (Seawolf) Kernel 2.4.2-2 on an i586 login: Login incorrect login: [@10.X.X.X (telnet) ] -> [*USER*@10.X.X.X *PASSWORD* (telnet) ] [.. other usernames/password follow..] rpm -Va does not give any suspicious MD5 errors. When I rename "telnet" to something else, this behavior stops and it works like expected. Another interesting point is that I cannot strace telnet anymore: $]strace -f telnet X.X.X.X execve("/usr/bin/telnet", ["telnet", "10.10.10.3"], [/* 24 vars */]) = 0 _sysctl({{CTL_KERN, KERN_OSRELEASE}, 2, "2.2.16-22", 9, NULL, 0}) = 0 brk(0) = 0x8069208 old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000 open("/etc/ld.so.preload", O_RDONLY) = 3 [.. everything follows as usual ..] ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0 rt_sigprocmask(SIG_BLOCK, NULL, [], 8) = 0 open("/etc/nsswitch.conf", O_RDONLY) = 3 Trying 10.10.10.3... Connected to 10.10.10.3. Escape character is '^]'. Red Hat Linux release 7.1 (Seawolf) Kernel 2.4.2-2 on an i586 login: I.e., strace does not give any output after 'open("/etc/nsswitch.conf", O_RDONLY) = 3' ! If I try to use ltrace, the application blocks completely. chkrootkit does not give any alarms. The server is running RedHat 7.0. Any ideas? -- Best Regards Vladimir Ivaschenko Certified Linux Engineer (RHCE) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 18 2002 - 23:54:14 PST