[Dshield] DShield discovers first Telnetd exploit victim
Johannes B. Ullrich
jullrich at euclidian.com
Wed Jul 25 20:20:37 GMT 2001
Many of you probably heard already, that exploit code was
release a couple days ago that allows remote root access to
many systems running telnet. I just got a reply in on some
"Fightback" we sent out that indicates that a worm using this
vulnerability is already on the lose and taking out systems.
A few notes:
- Dont run telnet. It is "by definition" insecure. While it
uses passwords to authenticate a user, none of the data,
including the passwords, are encrypted. Use 'ssh', the secure
equivalent of telnet, as an alternative.
- Even if you use passwords. This latest exploit uses a problem
in some versions of telnet that allows remote access without
So in short: DON'T USE TELNET...
Anyway, here is the anonymized mail (came from a US University)
> There were two reports forwarded to me of ********.edu doing
> telnet port scans of remote networks. It was an early victim of the
> telnet daemon root compromise bug identified in a CERT advisory issued
> this morning.
> The machine was given to a Graduate Student to test out FreeBSD on to
> see if it did what he needed it to do. He determined it does do what
> he needs but plans were already in the works for me to do a "more
> fomal" base OS install for him and he would re-do his work
> afterwards. I had him turn the machine off yesterday, I should have
> time to do the re-install tomorrow. As a routine part of my installs
> I turn off telnet access (we have lots of FreeBSD machines around,
> this was the only vulnerable one...).
> Sorry for the inconveniences.
And don't forget to sign up for fightback ;-)...
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
More information about the list