Alan Hargreaves' Weblog

The ramblings of an Australian SaND TSC* Principal Field Technologist

* Solaris and Network Domain Technology Support Centre - The group I work for

Tags

(update 1) acoustic bind birthday blues bugs cec cec2007 cec2008 china cmt contention cringley debugging dogs dtrace earthquake encumbered-binaries extra flash funny google guitar halloween huron install kids linux liveupgrade locking mdb music mysql newyear niagra openjava opensolaris oracle patches patents percussion performance redhat secondlife security solaris sru sun support sxcr t2 t2000 timeslider ufs upgrade virtualbox windows youtube zfs
« more on the in.telne... | Main | Sometimes life sucks »
pageicon Wednesday Feb 28, 2007

in.telnetd exploit doing the rounds

I am hearing talk about an exploit of the in.telnetd issue doing the rounds. This affects Solaris 10 and Solaris Express.

References at sans.org and asert.arbornetworks.com

Now would be a particularly good to disable your telnet daemon:

# svcadm disable telnet

If you must run telnetd, then you need to get the patches referred to in Sun Alert 102802. The patches are freely available on sunsolve.

120068-03 SunOS 5.10_sparc: in.telnetd Patch
120069-03 SunOS 5.10_x86: in.telnetd Patch

In spite of what the README says, these patches do not require a reboot.

Some Details

While things are still sketchy, it looks like it propogates by connecting as both "adm" and "lp" and copies sparc and x86 binaries into /var/adm/sa/.adm, along with crontab entries for both of these users.

A quick check to see if you have been infected is to check the mode of /var/adm/wtmpx. If it is 0646 and you have the aforementoined directory, it is likely yoyu are infected.

First off, disable the telnet daemon as described above. Clear out the cron entries that were added for adm and lp. There will also be a program running listening on port 32982. It will likely be called the same name as the only non-dot-file in /var/adm/sa/.adm. Make sure you kill the right one, as they choose from a number of solaris daemons for the naming. Run pfiles on it to look for port 32982.

Update

For more information see the security blog.

Technorati Tags: , , ,

Posted at 06:34PM Feb 28, 2007 by Alan Hargreaves in OpenSolaris  |  Comments[3]

Comments:

It appears from http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/ that it also puts files under /var/spool/lp/admins/.lp as well.

Posted by Alan Burlison on February 28, 2007 at 09:21 PM EST #

For those who have always wanted to convert to SSH, but could not kick the telnet habit, have a look at my SSH Cheat Sheet.

Posted by Tim Cook on March 01, 2007 at 09:06 AM EST #

The HTML for the security blog link is messed up.

Posted by Chris on March 01, 2007 at 09:20 AM EST #

Post a Comment:
Comments are closed for this entry.