Security

« Sun Alert 102621... | Main | Sun Alert 102802... »

28 Feb 2007 Solaris in.telnetd worm seen in the wild + inoculation script
posted by Sun Security Coordination Team in Alerts

Sun Microsystems is aware of an active worm which exploits the in.telnetd vulnerability described in Sun Alert 102802.

Here are a few steps to help determine if a Solaris 10 or Nevada system may be infected:

 $ ls -la /var/adm/wtmpx

If the permissions are:

-rw-r--rw-   1 adm      adm         1116 Feb 28 12:03 wtmpx

the system may be infected. Next the following command can be run:

 $ ls -la /var/adm/sa

If there is directory named .adm the system is probably infected. Other possible indications include the existence of the files:

/var/adm/.profile
/var/spool/lp/.profile

Additionally possible indications include modified crontab entries for users adm and lp.

 # cd /var/spool/cron/crontabs
 # grep PATH=\. *
 adm:#10 1 * * * (cd /var/adm/sa/ && cd .adm && [ -x sysadm ] && PATH=.  sysadm) >/dev/null 2>&1 &
 lp:#10 1 * * * (cd /var/spool/lp/admins/ && cd .lp && [ -x lpsystem ] && PATH=. lpsystem) >/dev/null 2>&1 &

The following Korn shell script, inoculate.local, can be run locally on an infected system to remove the worm and prevent further re-infection by disabling the telnet service. Copy the script into a file (for example, in /tmp or /var/tmp) and run the script as the root user.


#!/bin/ksh -p
#
# Save this script as "inoculate.local" (for example, in /tmp or /var/tmp) and
# run the script as the root user
#
# Usage: inoculate.local

/usr/sbin/svcadm disable telnet || {
        echo This script must run as root. 1>&2
        exit 1
}

# Cleanup filesystem
/bin/rm -f /var/adm/.profile /var/spool/lp/.profile
/bin/rm -rf /var/spool/lp/admins/.lp
/bin/rm -rf /var/adm/sa/.adm
/bin/chmod 644 /var/adm/wtmpx

# Cleanup crontab
t=`/bin/mktemp /tmp/cr.XXXXXX`

/bin/crontab -l adm > $t
/bin/egrep -v 'Restarting scheduler|cd \.adm' $t | su adm -c /bin/crontab

/bin/crontab -l lp > $t
/bin/egrep -v 'Restarting scheduler|cd \.lp' $t | su lp -c /bin/crontab

/bin/rm -f $t

# Kill processes
/bin/pkill -9 -u lp 'lpshut|lpsystem|lpadmin|lpmove|lpusers|lpfilter|lpstat|lpd|lpsched|lpc'
/bin/pkill -9 -u adm 'devfsadmd|svcadm|cfgadm|kadmind|zoneadmd|sadm|sysadm|dladm|bootadm|routeadm|uadmin|acctadm|cryptoadm|inetadm|logadm|nlsadmin|sacadm|syseventadmd|ttyadmd|consadmd|metadevadm'

Permalink | Comments [10]

Trackback URL: http://blogs.sun.com/security/entry/solaris_in_telnetd_worm_seen

Comments:

HI Team Pls update me if any alert for solaris 8 and solaris 10.

Posted by Arjunan on July 12, 2007 at 10:15 PM PDT #

Solaris 8 and Solaris 9 are unaffected by the telnet vulnerability discussed here. More information about the issue and the patches for Solaris 10 can be found at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1

Posted by Sumanth Naropanth on July 13, 2007 at 10:57 AM PDT #

hi,
this information is very useful for me. thanks a lot.

Posted by Mohan G on April 07, 2008 at 02:16 AM PDT #

What does the worm actually do? Does it just make copies of itself, and nothing more?

Posted by Joseph Spenner on May 21, 2008 at 10:38 AM PDT #

That is great and interesting thanks for the post it was really usefull..

Posted by Sesli on May 28, 2008 at 12:10 AM PDT #

Thank you...i will keep looking for new updates here..

Posted by Sesli Chat on May 30, 2008 at 08:48 PM PDT #

thankssssss

Posted by irc on June 08, 2008 at 05:46 PM PDT #

thanks,I will take care