Security

« Sun Alert 102621... | Main | Sun Alert 102802... »

28 Feb 2007 Solaris in.telnetd worm seen in the wild + inoculation script
posted by security in Alerts

Sun Microsystems is aware of an active worm which exploits the in.telnetd vulnerability described in Sun Alert 102802.

Here are a few steps to help determine if a Solaris 10 or Nevada system may be infected:

 $ ls -la /var/adm/wtmpx

If the permissions are:

-rw-r--rw-   1 adm      adm         1116 Feb 28 12:03 wtmpx

the system may be infected. Next the following command can be run:

 $ ls -la /var/adm/sa

If there is directory named .adm the system is probably infected. Other possible indications include the existence of the files:

/var/adm/.profile
/var/spool/lp/.profile

Additionally possible indications include modified crontab entries for users adm and lp.

 # cd /var/spool/cron/crontabs
 # grep PATH=\. *
 adm:#10 1 * * * (cd /var/adm/sa/ && cd .adm && [ -x sysadm ] && PATH=.  sysadm) >/dev/null 2>&1 &
 lp:#10 1 * * * (cd /var/spool/lp/admins/ && cd .lp && [ -x lpsystem ] && PATH=. lpsystem) >/dev/null 2>&1 &

The following Korn shell script, inoculate.local, can be run locally on an infected system to remove the worm and prevent further re-infection by disabling the telnet service. Copy the script into a file (for example, in /tmp or /var/tmp) and run the script as the root user.


#!/bin/ksh -p
#
# Save this script as "inoculate.local" (for example, in /tmp or /var/tmp) and
# run the script as the root user
#
# Usage: inoculate.local

/usr/sbin/svcadm disable telnet || {
        echo This script must run as root. 1>&2
        exit 1
}

# Cleanup filesystem
/bin/rm -f /var/adm/.profile /var/spool/lp/.profile
/bin/rm -rf /var/spool/lp/admins/.lp
/bin/rm -rf /var/adm/sa/.adm
/bin/chmod 644 /var/adm/wtmpx

# Cleanup crontab
t=`/bin/mktemp /tmp/cr.XXXXXX`

/bin/crontab -l adm > $t
/bin/egrep -v 'Restarting scheduler|cd \.adm' $t | su adm -c /bin/crontab

/bin/crontab -l lp > $t
/bin/egrep -v 'Restarting scheduler|cd \.lp' $t | su lp -c /bin/crontab

/bin/rm -f $t

# Kill processes
/bin/pkill -9 -u lp 'lpshut|lpsystem|lpadmin|lpmove|lpusers|lpfilter|lpstat|lpd|lpsched|lpc'
/bin/pkill -9 -u adm 'devfsadmd|svcadm|cfgadm|kadmind|zoneadmd|sadm|sysadm|dladm|bootadm|routeadm|uadmin|acctadm|cryptoadm|inetadm|logadm|nlsadmin|sacadm|syseventadmd|ttyadmd|consadmd|metadevadm'

Permalink | Comments [3]

Comments:

HI Team Pls update me if any alert for solaris 8 and solaris 10.

Posted by Arjunan on July 12, 2007 at 10:15 PM PDT #

Solaris 8 and Solaris 9 are unaffected by the telnet vulnerability discussed here. More information about the issue and the patches for Solaris 10 can be found at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1

Posted by Sumanth Naropanth on July 13, 2007 at 10:57 AM PDT #

What does the worm actually do? Does it just make copies of itself, and nothing more?

Posted by Joseph Spenner on May 21, 2008 at 10:38 AM PDT #