[Dshield] DShield discovers first Telnetd exploit victim

Johannes B. Ullrich jullrich at euclidian.com
Wed Jul 25 21:52:58 GMT 2001

> > many systems running telnet. I just got a reply in on some
> > "Fightback" we sent out that indicates that a worm using this
> > vulnerability is already on the lose and taking out systems.
> I don't see any evidence there's a worm on the lose.
> What's your assumption based on ?

It's not certain until we got the actual exploit code in front of us. But
the assumption is based on a few 'signatures':
- the compromised system scanned a large IP segment sequentially.
- the owner of the system suspected a telnet exploit, and the system
  scanned for telnet itself.
- just the day before the exploit happened, some 'plug and play' code
  was released that would make building a worm like this easy.

so if anyone finds the code, let me know ;-)

jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection System

More information about the list mailing list