in.telnetd exploit doing the rounds
By Alan Hargreaves-Oracle on Feb 28, 2007
I am hearing talk about an exploit of the in.telnetd issue doing the rounds. This affects Solaris 10 and Solaris Express.
Now would be a particularly good to disable your telnet daemon:
# svcadm disable telnet
If you must run telnetd, then you need to get the patches referred to in Sun Alert 102802. The patches are freely available on sunsolve.
120068-03 SunOS 5.10_sparc: in.telnetd Patch 120069-03 SunOS 5.10_x86: in.telnetd Patch
In spite of what the README says, these patches do not require a reboot.
While things are still sketchy, it looks like it propogates by connecting as both "adm" and "lp" and copies sparc and x86 binaries into /var/adm/sa/.adm, along with crontab entries for both of these users.
A quick check to see if you have been infected is to check the mode of /var/adm/wtmpx. If it is 0646 and you have the aforementoined directory, it is likely yoyu are infected.
First off, disable the telnet daemon as described above. Clear out the cron entries that were added for adm and lp. There will also be a program running listening on port 32982. It will likely be called the same name as the only non-dot-file in /var/adm/sa/.adm. Make sure you kill the right one, as they choose from a number of solaris daemons for the naming. Run pfiles on it to look for port 32982.