Alan Hargreaves's Weblog

in.telnetd exploit doing the rounds

Alan Hargreaves
Senior Principal Technical Support Engineer

I am hearing talk about an exploit of the in.telnetd issue doing the rounds. This affects Solaris 10 and Solaris Express.

References at sans.org and asert.arbornetworks.com

Now would be a particularly good to disable your telnet daemon:

# svcadm disable telnet

If you must run telnetd, then you need to get the patches referred to in Sun Alert 102802. The patches are freely available on sunsolve.

120068-03 SunOS 5.10_sparc: in.telnetd Patch
120069-03 SunOS 5.10_x86: in.telnetd Patch

In spite of what the README says, these patches do not require a reboot.

Some Details

While things are still sketchy, it looks like it propogates by connecting as both "adm" and "lp" and copies sparc and x86 binaries into /var/adm/sa/.adm, along with crontab entries for both of these users.

A quick check to see if you have been infected is to check the mode of /var/adm/wtmpx. If it is 0646 and you have the aforementoined directory, it is likely yoyu are infected.

First off, disable the telnet daemon as described above. Clear out the cron entries that were added for adm and lp. There will also be a program running listening on port 32982. It will likely be called the same name as the only non-dot-file in /var/adm/sa/.adm. Make sure you kill the right one, as they choose from a number of solaris daemons for the naming. Run pfiles on it to look for port 32982.


For more information see the security blog.

Technorati Tags:

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.