Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
12-30-2005, 12:39 PM
|
#1
|
|
Member
Registered: Dec 2005
Posts: 47
Rep: 
|
Should I be worried - version of putty connecting on telnet
Over the holidays I was accessing a server using the putty ssh client from my holiday location on an rather awful windows set-up.
To cut a stupid windows story short: I accidently used an older version of putty installed by an innocent person. The problem is the next time I opened it I noticed it was defaulted to using Telnet and not ssh (nobody else would have used it in the mean time). So I'm assuming it had "connected" using Telnet the first time round. Except the telnet service is quite rightfully disabled on the server and so connections cannot be made.
Was this a rogue version of putty? Unfortunetly I can't now easily ask the person where it came from or check its md5sum.
Should I be worried? What can I do? Can I tell if the system has been compromised? Everything looks ok, but then again i am new to this.
Stupid stupid me.
|
|
|
|
|
12-30-2005, 12:54 PM
|
#2
|
|
Senior Member
Registered: May 2004
Location: Sebec, ME, USA
Distribution: Debian Etch, Windows XP Home, FreeBSD
Posts: 1,445
Rep:
|
I wouldn't worry about it too much, since the machine you're logging into has telnet disabled. which system are you worried about being compromised?
|
|
|
|
|
12-30-2005, 01:05 PM
|
#3
|
|
Member
Registered: Dec 2005
Posts: 47
Original Poster
Rep:
|
Thanks for your fast reply.
I'm worried about the server. That the version of putty fowarded my password on somewhere.
Is there any easy why of checking that a system is compromised? I guess probably not.
This is very frustrating, but I might be just paranoid.
|
|
|
|
|
12-30-2005, 01:39 PM
|
#4
|
|
Member
Registered: Aug 2005
Location: New Brunswick
Distribution: Trisquel
Posts: 70
Rep:
|
Just wanted to add a few comments here..
When it comes to computer security it's not a Question of "am I paranoid" but rather "Am I paranoid enough"  . I think it is great that you were aware enough to notice the setting and awake enough to question it. Unfortunately I cant offer advice on how to chek the version of putty. other then accessing it again while a program like Ethereal was running and seeing where it was making connections to.
I would suggest rotating you password for the account. (it's what I would do.. but then I know I'm paranoid ) Changing a password is relatively painless and can save a lot of problems. If you are very concerned that there might have been a breach I'd advise who ever admins the server. just let them know that you saw something possibly questionable and want to be sure. I'm sure they will be happy to look into it and happy for the heads up, as a compromised system is easier to fix the earlier it is caught.
another thing you might want to check is the ip addresss of you last few connections (if they are logged and you can go back that far) If you know the ip of the machine with the suspicious putty you can check and see if you actually connected from it.. you could also just scan the connection history for any "weird" ip addys conneting to your account.
Again.. Good work in noticing that it didn't seem right.. better work in questioning it.. I wish most of the people I did tech support for were as "paranoid" as you |
|
|
|
|
12-31-2005, 01:52 PM
|
#5
|
|
Member
Registered: Dec 2005
Posts: 47
Original Poster
Rep:
|
Thanks for the info. Luckily for me, I've managed to get hold of the person who installed that version and he has sent it to me for inspection.
Where can I find the connection history/logs?
Thanks
|
|
|
|
|
12-31-2005, 02:20 PM
|
#6
|
|
Senior Member
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,141
Rep:
|
I'm running openssh version 4.2p1 on Slackware 10.2. Grepping through my logs shows entries for sshd in /var/log/messages and /var/log/secure.
The default Putty log setting is 'Logging turned off completely' so you probably won't be able to retrieve anything useful from the windows box, but since the default log name is 'putty.log' have a look in the directory that putty was installed in - just in case.
|
|
|
|
|
01-01-2006, 07:14 AM
|
#7
|
|
Senior Member
Registered: Nov 2003
Location: Knoxville, TN
Distribution: Kubuntu 9.04
Posts: 1,168
Rep:
|
A potential interloper would, at a minimum, have to install a sniffer somewhere between the client and server to intercept your packet. If the client and server are geographically close to one another (fewer hops) that'll reduce the odds even further.
I'd say that unless you've had security breaches in the past, or there's something else going on that makes you suspicious, you shouldn't be particularly worried. Change your password, do a virus scan, and if there aren't any backdoors or rootkits installed on your end just forget about it. If there are security problems on other end admins should have already changed all their passwords as part of their SOP. If they have poor security procedures and practices there's nothing you can do to help them anyway and you might even make yourself a scapegoat for their incompetence.
|
|
|
|
|
01-03-2006, 04:49 PM
|
#8
|
|
Senior Member
Registered: Aug 2004
Location: Munich, Germany
Distribution: Opensuse 11.2
Posts: 1,549
Rep:
|
There's nothing unusual about that in putty. Older versions of putty (up to some from 18months or 2 years ago or so) always defaulted to telnet. If your Linux machine doesn't have telnet running (and it shouldn't!  ) then you must have set putty to ssh and forgot you'd done it when you connected. |
|
|
|
|
01-16-2006, 10:52 AM
|
#9
|
|
Member
Registered: Dec 2005
Posts: 47
Original Poster
Rep:
|
Thank you all for your informative answers. You have taken a weight of my shoulders. I will check the md5sum when I find it, but by what you have said it seems highly unlikely that something fishy went on - and its not like its a multi-million dollar corporation anyway
Thanks again. |
|
|
|
All times are GMT -5. The time now is 06:21 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
