[Dshield] DShield discovers first Telnetd exploit victim

Johannes B. Ullrich jullrich at euclidian.com
Wed Jul 25 20:20:37 GMT 2001


  Many of you probably heard already, that exploit code was
release a couple days ago that allows remote root access to
many systems running telnet. I just got a reply in on some
"Fightback" we sent out that indicates that a worm using this
vulnerability is already on the lose and taking out systems.

  A few notes:

- Dont run telnet. It is "by definition" insecure. While it
  uses passwords to authenticate a user, none of the data,
  including the passwords, are encrypted. Use 'ssh', the secure
  equivalent of telnet, as an alternative.

- Even if you use passwords. This latest exploit uses a problem
  in some versions of telnet that allows remote access without
  password.

So in short: DON'T USE TELNET...

Anyway, here is the anonymized mail (came from a US University)

>
> There were two reports forwarded to me of ********.edu doing
> telnet port scans of remote networks.  It was an early victim of the
> telnet daemon root compromise bug identified in a CERT advisory issued
> this morning.
>
> The machine was given to a Graduate Student to test out FreeBSD on to
> see if it did what he needed it to do.  He determined it does do what
> he needs but plans were already in the works for me to do a "more
> fomal" base OS install for him and he would re-do his work
> afterwards.  I had him turn the machine off yesterday, I should have
> time to do the re-install tomorrow.  As a routine part of my installs
> I turn off telnet access (we have lots of FreeBSD machines around,
> this was the only vulnerable one...).
>
> Sorry for the inconveniences.
>

And don't forget to sign up for fightback ;-)...


-- 
-------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System





More information about the list mailing list