The LPD must have been there before the invasion because the attacker used its printer. lpd is the daemon of a line printer that is normally invoked when the machine boots from the rc(8) file. It normally makes one pass through the print cap (5) file to know about the existing printer and then prints any files that might have been left after a crash. The lpd then uses system calls listen (2) together with accept (2) to get requests to display the queue, print files that are already in the queue, move files to the spooling area or remove jobs from the queue. Previously, lpd required that client had to use a privileged port that was below 1024 for their connection. However, this restriction was later removed since it provided no additional security. Moreover, most modern clients prefer connecting with an unprivileged port.
When I inspected the tcpdumpxxxxx file in wireshark in different statistical methods, I realized that telnet was running at the university server before it was compromised. Telnet is used to first make a connection to Acme's machine with 126.96.36.199/port 23 as its ip address. It is then used to transport data through FTP/port 21. Conducting an advanced search of the content shows that the attacker used a message sent to the university server to include codes and files to establish a connection to 188.8.131.52
Telnet is a software program that allows remote logins to be made. As much as it could be secure, it can as well be anonymous. Several command libraries make it possible to work in such an environment. Telnet is therefore a TCP/IP protocol that is triggered by some user command that permits one to access a remote computer. It is common to use FTP to obtain files from a remote computer. However, Telnet is different because it goes one step further and allow one to even log on as any other regular user of the computer. This gives you access to any programs or data installed in the computer. This is the reason why it is mostly used to provide technical support services. In the days when the internet had just been introduced, Telnet was used to make connections with a free net: an open-access computer system. One reason for this was that dial up modems were very slow and yet Telnet worked much faster. The introduction of high speed internet providers has however made most free-nets shut down.
Telnets works in such a way that it uses software already installed on ones computer to connect with the remote host. This software sends a request at the computer owners command to the Telnet server who is the remote host. A reply will be made by the server asking the user to give his user name and password. On correct identification, the Telnet client will then create a connection to the host. This makes the computer a virtual terminal therefore allowing one total access to the computer of the host. Telnet therefore requires that one has to give a user name and password. This means that one had to have set up an account on the remote computer. However, in some instances, computers with Telnet only allow guest to long with restricted access.
In most of the times, hackers do things in very remote ways and telnet is the oldest but most efficient way. For instance, when a hacker situated at point 1 wants to hack into Acme's computer system, he would go to a point 2 in a public place such as 184.108.40.206 for him to reduce the chances of being caught. He would then open a telnet and login to a computer system such as 220.127.116.11 which is the university server and then generate a connection to another network or machine at another point 3 located in the Acme network (18.104.22.168). The next step would be to make a huge jump and create an overseas connection to another point or network. Finally, he would go in for the kill and now connect to his target network that is located on a different point and cause damage. By default, Telnet uses port 23. 23 Telnet protocol is an unencrypted text communications while 21 ftp protocol is a control command.