[Fwd: [expert] First Code Red(Win) and Now Telnet Worm X.c (BSD) OT FYI]
Mike Rambo
mrambo@lsd.k12.mi.us
Fri, 07 Sep 2001 07:25:35 -0400
This is a multi-part message in MIME format.
--------------1F61B68435C07CCBF44D0477
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Just saw this on the Mandrake list. I know some of you use BSD - thought
you might be interested.
--
Mike Rambo
mrambo@lsd.k12.mi.us
-------- Original Message --------
Subject: [expert] First Code Red(Win) and Now Telnet Worm X.c (BSD) OT
FYI
Date: Thu, 6 Sep 2001 22:28:49 -0500
From: Sergio Korlowsky <xe2xpk@nld.bravo.net>
Reply-To: expert@linux-mandrake.com
Organization: SedeComp Communications Internet Solutions
To: expert@linux-mandrake.com
After all the noise about Code Red, here comes a new one, this time
aimed at
BSD (Only?)
I thought you guys (and Gals) might like to be informed!
=====================================================================
Telnet Worm X.c
---------------
http://www.nipc.gov/warnings/assessments/2001/01-019.htm
NIPC has released an advisory concerning a worm that propagates via
a buffer overflow vulnerability in BSD-derived telnet daemons. This
vulnerability was discovered by TESO security and is described in a July
24
CERT advisory: http://www.cert.org/advisories/CA-2001-21.html
Handler's Diary coverage of the vulnerability is here:
http://www.incidents.org/diary/july2001.php#241
The worm code was recovered a couple of weeks ago. However DShield
has not recorded any significant levels of telnet activity suggesting
that the worm is actively propagating in the wild. The table below
shows statistics for the telnet port recorded over the past month by
DShield. The last column gives the number of unique sources reported
as sending at least one telnet probe on the date indicated.
Date #Probes #Sources
---------- ------ ------
2001-07-30 209 39
2001-07-31 547 40
2001-08-01 559 33
2001-08-02 649 43
2001-08-03 783 45
2001-08-04 472 44
2001-08-05 1005 39
2001-08-06 979 42
2001-08-07 227 27
2001-08-08 1725 54
2001-08-09 281 28
2001-08-10 2312 64
2001-08-11 517 35
2001-08-12 103 37
2001-08-13 660 44
2001-08-14 3436 36
2001-08-15 156 30
2001-08-16 2208 46
2001-08-17 490 48
2001-08-18 371 45
2001-08-19 2081 45
2001-08-20 675 46
2001-08-21 860 33
2001-08-22 1049 15
2001-08-23 540 26
2001-08-24 364 31
2001-08-25 1304 32
2001-08-26 459 42
2001-08-27 1171 31
2001-08-28 381 42
2001-08-29 1147 47
2001-08-30 137 28
2001-08-31 3496 23
The telnet worm configures compromised hosts to serve a root shell
from port 145/tcp, and scans random IP addresses on the telnet port
in order to find new victims.
William Stearns has created a tool which will detect the x.c worm and
remove it from infected systems. The tool may be found here:
http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/xcfind.htm
Dartmouth's main page, which offers additional worm detection and
removal
tools, is here:
http://www.ists.dartmouth.edu/IRIA/knowledge_base/index.htm
SK
--
SedeComp Comunicaciones Internet Solutions
MandrakeSoft's VAR and System Integrator
mailto:sedecomp@nld.cybercable.net.mx
OpenPGP key available on:http://www.keyserver.net/en/
|--------------------------------------------------------------|
Current Linux kernel 2.4.8-12mdk uptime: 1 day 1 hour 5 minutes.
--------------1F61B68435C07CCBF44D0477
Content-Type: text/plain; charset=us-ascii;
name="message.footer"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="message.footer"
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
--------------1F61B68435C07CCBF44D0477--