Solaris Telnet Scanning  Possible Worm?
879 views 
Last night a team member found what appears to a Sun Solaris telnet worm using this vulnerability. What’s kind of cute about the worm is that the strings contain a lot of old school messages, like the WANK worm, the Witty Worm, and a few others (including some to Gobbles). This morning on ATLAS we saw a pair of hosts scanning for Telnet servers. While this may seem like a throwback to days gone by, and maybe someone is starting from scratch in their exploit activity, this is related to a recent Solaris bug, specifically CVE-2007-0882 (the telnet “-froot†bug). Two boxes in the same subnet scanning for it and hitting ATLAS; reports from another site indicate another box on that same subnet scanning them.
Telnet "froot" attack: back to the future 1994 with AIX
This flaw has been affected rlogin in AIX systems
Worm attacks Sun Solaris flaw
A worm has been spotted attacking a zero-day vulnerability found in Sun Microsystems' Solaris operating system (OS) earlier this month. The flaw, which could allow a malicious user access to a Solaris host, exists in versions 10 and 11, according to researchers at the SANS Internet Storm Center. The organization advised network administrators to turn off telnet access.
Source - SC Magazine
Telnet worm exploiting zero-day bug in Solaris
Arbor's Nazario says the worm tries to log into systems as the users "lp" or "adm" and then executes several shell commands "to set up shop and keep on truckin'." He calls the attack "very old school." Joel Esler, a contributor to the Internet Storm Center's online diary, says the center checked its own data and is seeing similar traffic from this worm.
Nazario recommends, "Better yet, just disable Telnet. It's 2007, after all."
Source - ITNews.com.au
Post new comment