Wednesday Feb 28, 2007

Tracking Infected Telnet Worm Machines

Today, there has been a lot of discussion about the new telnet worm which exploits the recently announced telnet vulnerability in Solaris 10 and Nevada.

Aside from the usual recommendation of you should not be using telnet. You should be using SSH, I would like to cast a vote for the use of IP Filter. IP Filter is quick and easy to configure and can help give you visibility into attacks such as this. Beyond its initial use as an enforcement point (blocking access to services such as telnet), IP Filter is also a great tool to allow you to see what other systems are attempting to do to yours.

An IP Filter entry for the telnet worm may look something like:

Feb 27 15:26:38 blackhole ipmon[100]: [ID 702911 local0.warning] 15:26:38.269526 ip.tun0 @0:11 b 192.168.1.112,55039 -> 192.168.19.6,23 PR tcp len 20 52 -S I

With this format, you could quickly whip up a script to tell you who is knocking on your system's telnet door (even if telnet happens to be disabled - which is the case on my system). See:

blackhole$ getent hosts `grep  ipmon  /var/adm/debug | grep " b " |\\
   grep ",23 PR" | awk '{ print $13 }' | awk -F, '{ print $1 }' | sort -u`
10.1.42.252     europa
10.1.88.164     io
10.1.90.171     castor
10.3.29.39      pollux
192.168.174.48  orion
192.168.43.112  mercury
With just a little scripting, you can easily find out systems (particularly in an enterprise) that need some special love and attention.

Technorati Tag:

About

gbrunett

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today