[Dshield] DShield discovers first Telnetd exploit victim
Johannes B. Ullrich
jullrich at euclidian.com
Wed Jul 25 21:52:58 GMT 2001
> > many systems running telnet. I just got a reply in on some
> > "Fightback" we sent out that indicates that a worm using this
> > vulnerability is already on the lose and taking out systems.
> I don't see any evidence there's a worm on the lose.
> What's your assumption based on ?
It's not certain until we got the actual exploit code in front of us. But
the assumption is based on a few 'signatures':
- the compromised system scanned a large IP segment sequentially.
- the owner of the system suspected a telnet exploit, and the system
scanned for telnet itself.
- just the day before the exploit happened, some 'plug and play' code
was released that would make building a worm like this easy.
so if anyone finds the code, let me know ;-)
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
More information about the list