I've got a Debian box (2.2.17, mostly woody) that I've just discovered
has a more-or-less hidden telnetd running on port 1037 as well as the
normal telnetd on port 23. I thought I had uninstalled telnetd (although
it's possible I forgot to remove it).
I'm thinking that somehow I've been broken into.
I've got a pretty good Unix admin (not Debian) here helping to take a
look at it, but so far she's not been able to learn anything definitive.
One thing she thought odd was the existence of the directory
/usr/lib/telnetd. And here's what one of the security gurus on one of
her security mailing lists had to say about it:
There should not be a /usr/lib/telnetd.
You have been hacked.
This is NOT normal behavior.
exacutables should never be stored in /usr/lib
thats for libraries.
There should also NOT be a telnetd user in our password file.
ftp maybe NOT telnetd.
/etc/services is just for mapping ports to services.
You could delete it and everything in inetd.conf would still work.
You just wouldnt get a nice port to name mapping from netstat;-)
On another Debian box (Sid) (as well as on the suspected box), I've got
telnetd as a user in my /etc/passwd file, and it's a member of the utmp
group.
So my questions:
1) is it normal for a Debian box to have telnetd as a user, as a member
of utmp, and to have the /usr/lib/telnetd directory?
2) if so, why does this seem to disagree with the commercial unix folks?
Is Debian doing things in a better way, or a worse way?
Thanks for any input!
Kent
