Re: strange telnet behavior

[Bryan Andersen <bryan () visi com>]

Make a backup. wipe and reload.  Then restore your data only.
It has been rooted.  Telnet should not be doing that at all.

My guess it it is in one of the libraries like the plugable 
authentication modules.  Check for an extra one.  Possibly 
with a slightly higher version number than the system supplied 
one.  This is why it doesn't happen when renamed.  This would 
also explain why the MD5 sum chack dosen't show anything either.  
Try renaming ssh to telnet and see what happens when given a 
blank.  It's not just the programs that can be trojaned.
Libraries, compilers and linkers can also be subverted.

Before you wipe the disk, boot the system from the RedHat 
install CD and look around.  You may find that some new 
files show up.  A good root kit can cover it's tracks quite 
nicely.  If you find an extra directory, look at it's 
modification date.  Then look at the log files for that 
time frame.  My bet is there will be some gaps.  After 
backing up than fsck the disks to see if any files are 
found.  One can hide data and program code that way.  It 
only survives undetected till the next fsck, but it is 
nicely hidden.

Vladimir Ivaschenko wrote:
> Dear All,
>
> A friend of mine asked me to help him with a very strange case:
> suddenly his telnet application started to show passwords of
> users who used "telnet" to access other computers from his
> server. To do that, one needs to just press "enter" without
> entering username/password. E.g.:
>
> Red Hat Linux release 7.1 (Seawolf)
> Kernel 2.4.2-2 on an i586
> login:
> Login incorrect
>
> login: [@10.X.X.X  (telnet)
>                              ] -> [*USER*@10.X.X.X *PASSWORD*
> (telnet)
>
> ]
> [.. other usernames/password follow..]
>
> rpm -Va does not give any suspicious MD5 errors. When I
> rename "telnet" to something else, this behavior stops and it
> works like expected.
>
> Another interesting point is that I cannot strace telnet anymore:
>
> $]strace -f telnet X.X.X.X
> execve("/usr/bin/telnet", ["telnet", "10.10.10.3"], [/* 24 vars
> */]) = 0
> _sysctl({{CTL_KERN, KERN_OSRELEASE}, 2, "2.2.16-22", 9, NULL, 0})
> = 0
> brk(0)                                  = 0x8069208
> old_mmap(NULL, 4096, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x40017000
> open("/etc/ld.so.preload", O_RDONLY)    = 3
> [.. everything follows as usual ..]
> ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
> rt_sigprocmask(SIG_BLOCK, NULL, [], 8)  = 0
> open("/etc/nsswitch.conf", O_RDONLY)    = 3
> Trying 10.10.10.3...
> Connected to 10.10.10.3.
> Escape character is '^]'.
>
> Red Hat Linux release 7.1 (Seawolf)
> Kernel 2.4.2-2 on an i586
> login:
>
> I.e., strace does not give any output after
> 'open("/etc/nsswitch.conf", O_RDONLY)    = 3' ! If I try to use
> ltrace, the application blocks completely.
>
> chkrootkit does not give any alarms. The server is running RedHat
> 7.0.
>
> Any ideas?
>
> --
> Best Regards
> Vladimir Ivaschenko
> Certified Linux Engineer (RHCE)
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

-- 
|  Bryan Andersen   |   bryan () visi com   |   http://www.nerdvest.com   |
| Buzzwords are like annoying little flies that deserve to be swatted. |
|      "Linux, the OS Microsoft doesn't want you to know about.".      |
|   -Bryan Andersen                                                    |

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com