Endpoint Protection

 View Only

Solaris Telnet Worm 

Feb 28, 2007 03:00 AM

Soon after information was released about a vulnerability in the in.telnetd daemon in Solaris 10, Symantec's Deepsight monitoring system began to see spikes in port 23 traffic. Most of this traffic was due to people scanning for vulnerable systems. However, yesterday we saw a renewed spike in traffic that has been correlated to a worm known as Wanuk, which uses the vulnerability to spread.

wanuk_fig1.jpg

Once Wanuk is on the system, it drops an executable that creates a /bin/sh back door, which listens on port 32982/TCP. In addition, Wanuk's payload includes sending out system broadcast messages of creatively designed shout-outs to a variety of security researchers. Here is one our favorites.

This will only happen one-third of the time at noon on the 13th of the month if the threat starts between 1 am and 5 am. Those affected should ensure they have patched or disabled telnet as a workaround.

Thanks to Jose Nazario at Arbor Networks for providing information regarding this threat.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.