Summary: Telnet Attack

From: Andreas Höschler <ahoesch_at_smartsoft.de>
Date: Tue Aug 28 2007 - 15:10:13 EDT
Dear managers,

thanks a lot to

Casper.Dik@Sun.COM
Deborah Crocker <crock@bama.ua.edu>
... and others

that pointed me into the right direction. It turned out that the system
was infected by a telnet worm. I don't know yet when and exactly how it
got infected but the bottom line is

	 Never shutdown your firewall, not even for a of couple of seconds!
	 If possible don't use telnet even behind a firewall
	 Install security patches

I have learnt this lesson the hard way. The case demonstrates that Suns
new "secure by-default" approach makes sense. Here are a few links that
describe the worm and also contain a script to get rid of this thing.

> The worm zaps wtmpx but it leaves some traces in /var/log/lastlog
> (to be examined with "finger -m adm lp")
>
> See
>
> http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen
>
> and
>
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-
> 1&searchclause=telnetd
>
> Patches here:
>
> http://sunsolve.sun.com/search/document.do?assetkey=1-21-120068-03-
> 1&searchclause=security%2420telnetd
>
> and here:
>
> http://sunsolve.sun.com/search/document.do?assetkey=1-21-120069-03-
> 1&searchclause=security%2420telnetd
>
> And the usual virus/worm security sites.
>
> It was apparently reported in February, two weeks or so after the
> patch came out.

Regards,

   Andreas
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Tue Aug 28 15:10:35 2007

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:06 EST