[Dshield] DShield discovers first Telnetd exploit victim

Johannes B. Ullrich jullrich at euclidian.com
Wed Jul 25 21:52:58 GMT 2001


>...
> > many systems running telnet. I just got a reply in on some
> > "Fightback" we sent out that indicates that a worm using this
> > vulnerability is already on the lose and taking out systems.
>
> I don't see any evidence there's a worm on the lose.
> What's your assumption based on ?
>

It's not certain until we got the actual exploit code in front of us. But
the assumption is based on a few 'signatures':
- the compromised system scanned a large IP segment sequentially.
- the owner of the system suspected a telnet exploit, and the system
  scanned for telnet itself.
- just the day before the exploit happened, some 'plug and play' code
  was released that would make building a worm like this easy.

so if anyone finds the code, let me know ;-)



-- 
-------
jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection System





More information about the list mailing list