Alan Hargreaves' Blog

The ramblings of an Australian SaND TSC* Principal Field Technologist

in.telnetd exploit doing the rounds

I am hearing talk about an exploit of the in.telnetd issue doing the rounds. This affects Solaris 10 and Solaris Express.

References at sans.org and asert.arbornetworks.com

Now would be a particularly good to disable your telnet daemon:

# svcadm disable telnet

If you must run telnetd, then you need to get the patches referred to in Sun Alert 102802. The patches are freely available on sunsolve.

120068-03 SunOS 5.10_sparc: in.telnetd Patch
120069-03 SunOS 5.10_x86: in.telnetd Patch

In spite of what the README says, these patches do not require a reboot.

Some Details

While things are still sketchy, it looks like it propogates by connecting as both “adm” and “lp” and copies sparc and x86 binaries into /var/adm/sa/.adm, along with crontab entries for both of these users.

A quick check to see if you have been infected is to check the mode of /var/adm/wtmpx. If it is 0646 and you have the aforementoined directory, it is likely yoyu are infected.

First off, disable the telnet daemon as described above. Clear out the cron entries that were added for adm and lp. There will also be a program running listening on port 32982. It will likely be called the same name as the only non-dot-file in /var/adm/sa/.adm. Make sure you kill the right one, as they choose from a number of solaris daemons for the naming. Run pfiles on it to look for port 32982.

Update

For more information see the security blog.

Technorati Tags:
,
,
,

Advertisements

Written by Alan

February 27, 2007 at 11:34 pm

Posted in OpenSolaris

3 Responses

Subscribe to comments with RSS.

  1. It appears from http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/ that it also puts files under /var/spool/lp/admins/.lp as well.

    Alan Burlison

    February 28, 2007 at 2:21 am

  2. For those who have always wanted to convert to SSH, but could not kick the telnet habit, have a look at my

    SSH Cheat Sheet
    .

    Tim Cook

    February 28, 2007 at 2:06 pm

  3. The HTML for the security blog link is messed up.

    Chris

    February 28, 2007 at 2:20 pm


Comments are closed.

%d bloggers like this: