Should I be worried - version of putty connecting on telnet
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Should I be worried - version of putty connecting on telnet
Over the holidays I was accessing a server using the putty ssh client from my holiday location on an rather awful windows set-up.
To cut a stupid windows story short: I accidently used an older version of putty installed by an innocent person. The problem is the next time I opened it I noticed it was defaulted to using Telnet and not ssh (nobody else would have used it in the mean time). So I'm assuming it had "connected" using Telnet the first time round. Except the telnet service is quite rightfully disabled on the server and so connections cannot be made.
Was this a rogue version of putty? Unfortunetly I can't now easily ask the person where it came from or check its md5sum.
Should I be worried? What can I do? Can I tell if the system has been compromised? Everything looks ok, but then again i am new to this.
When it comes to computer security it's not a Question of "am I paranoid" but rather "Am I paranoid enough" . I think it is great that you were aware enough to notice the setting and awake enough to question it. Unfortunately I cant offer advice on how to chek the version of putty. other then accessing it again while a program like Ethereal was running and seeing where it was making connections to.
I would suggest rotating you password for the account. (it's what I would do.. but then I know I'm paranoid ) Changing a password is relatively painless and can save a lot of problems. If you are very concerned that there might have been a breach I'd advise who ever admins the server. just let them know that you saw something possibly questionable and want to be sure. I'm sure they will be happy to look into it and happy for the heads up, as a compromised system is easier to fix the earlier it is caught.
another thing you might want to check is the ip addresss of you last few connections (if they are logged and you can go back that far) If you know the ip of the machine with the suspicious putty you can check and see if you actually connected from it.. you could also just scan the connection history for any "weird" ip addys conneting to your account.
Again.. Good work in noticing that it didn't seem right.. better work in questioning it.. I wish most of the people I did tech support for were as "paranoid" as you
I'm running openssh version 4.2p1 on Slackware 10.2. Grepping through my logs shows entries for sshd in /var/log/messages and /var/log/secure.
The default Putty log setting is 'Logging turned off completely' so you probably won't be able to retrieve anything useful from the windows box, but since the default log name is 'putty.log' have a look in the directory that putty was installed in - just in case.
A potential interloper would, at a minimum, have to install a sniffer somewhere between the client and server to intercept your packet. If the client and server are geographically close to one another (fewer hops) that'll reduce the odds even further.
I'd say that unless you've had security breaches in the past, or there's something else going on that makes you suspicious, you shouldn't be particularly worried. Change your password, do a virus scan, and if there aren't any backdoors or rootkits installed on your end just forget about it. If there are security problems on other end admins should have already changed all their passwords as part of their SOP. If they have poor security procedures and practices there's nothing you can do to help them anyway and you might even make yourself a scapegoat for their incompetence.
There's nothing unusual about that in putty. Older versions of putty (up to some from 18months or 2 years ago or so) always defaulted to telnet. If your Linux machine doesn't have telnet running (and it shouldn't! ) then you must have set putty to ssh and forgot you'd done it when you connected.
Thank you all for your informative answers. You have taken a weight of my shoulders. I will check the md5sum when I find it, but by what you have said it seems highly unlikely that something fishy went on - and its not like its a multi-million dollar corporation anyway
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.