From owner-freebsd-security@FreeBSD.ORG Tue Mar 27 16:00:25 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D1449106568F for ; Tue, 27 Mar 2012 16:00:25 +0000 (UTC) (envelope-from Geoff_McDonald@symantec.com) Received: from ecl1mtaoutpex02.symantec.com (ecl1mtaoutpex02.symantec.com [166.98.1.210]) by mx1.freebsd.org (Postfix) with ESMTP id 1D5BB8FC0C for ; Tue, 27 Mar 2012 16:00:19 +0000 (UTC) X-AuditID: a66201d2-b7fdc6d000002a88-7e-4f71e2e03633 Received: from tus1smtintpin02.ges.symantec.com (TUS1SMTINTPIN02.ges.symantec.com [192.168.215.102]) by ecl1mtaoutpex02.symantec.com (Symantec Messaging Gateway) with SMTP id 0F.CF.10888.0E2E17F4; Tue, 27 Mar 2012 15:55:13 +0000 (GMT) Received: from [155.64.220.138] (helo=TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM) by tus1smtintpin02.ges.symantec.com with esmtp (Exim 4.76) (envelope-from ) id 1SCYjo-0004oh-Ig for freebsd-security@freebsd.org; Tue, 27 Mar 2012 08:55:12 -0700 Received: from TUS1XCHEVSPIN36.SYMC.SYMANTEC.COM ([155.64.220.152]) by TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM ([155.64.220.138]) with mapi; Tue, 27 Mar 2012 08:55:12 -0700 From: Geoff McDonald To: "freebsd-security@freebsd.org" Date: Tue, 27 Mar 2012 08:55:09 -0700 Thread-Topic: Telnet virus? Thread-Index: Ac0MMfvE2FSV+6LMQTCvs2NE9/XoWQ== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpnkeLIzCtJLcpLzFFi42I5sOJ6mu7DR4X+Bg8ncFr0bHrC5sDoMePT fJYAxigum5TUnMyy1CJ9uwSujLWHVrAUnNKqOLLnL2sD437VLkZODgkBE4nWlnOsELaYxIV7 69m6GLk4hATeMEr8aZvMCOH0M0kse/aUCcJZxSjx48cqsBY2ASOJxf8/gtkiAo4Su+ddZwex WQRUJXp2vGUDsYWBxn77MIkZokZaovPsBSYIW0/iWfMbsBpegSiJ5e1XWEBsRqD676fWgNUw C4hL3HoynwniPAGJJXvOM0PYohIvH/9jhagXlbjTvp4Roj5fonPrdSaImYISJ2c+YZnAKDwL yahZSMpmISmDiOtILNj9iQ3C1pZYtvA1M4x95sBjJmTxBYzsqxhlUpNzDHNLEvNLSwpSKwyM 9IorcxOBkZOsl5yfu4kRGD3Lkhgv7WC8f1j3EKMAB6MSD++D64X+QqyJZUCVhxglOJiVRHi1 o4BCvCmJlVWpRfnxRaU5qcWHGKU5WJTEeXmmFvgLCaQnlqRmp6YWpBbBZJk4OKUaGA/fq2Hd fFODz97HN6Y+82eQUWdh3bnN8vMbdB9fke5uufyl+05B6K6tvD/uNQXwGBSalWn+jkhlFUi9 Htf2fNHrk5/KfpYIHRSOO/ovRVjkb8r1yVPj/on/TCsICqr5e0/3KquyQ8WlnQqPGSxFw51u f+PMXbnqQtxpduspivueVn2VV7N1UWIpzkg01GIuKk4EAKR0A6maAgAA Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Telnet virus? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Mar 2012 16:00:25 -0000 A few days before Christmas (Dec 23, 2011) you guys pushed out a critical r= emote-code-execution patch affecting Telnet (FreeBSD-SA-11:08.telnetd, CVE-= 2011-4862), and the Colin Percival noted the unusual patch timing to being = forced by exploitation of the vulnerability in the wild. Starting December, we have seen the number of firewall hits on Port 23 TCP = increase over double to around the same number of events as the pretty larg= e Morto RDP bruteforcing worm on 3389. This level of activity could be asso= ciated with a worm. By any chance do you have more information about the ex= ploitation of the patched Telnet vulnerability in the wild? Does anyone ha= ppen to have a sample of the worm if there is one? I understand this issue is not specific to FreeBSD, it is just that you guy= s seemed to be the first people to patch the issue and were the ones to rep= ort it being actively exploited in the wild. References: http://lists.freebsd.org/pipermail/freebsd-security/2011-December/006117.ht= ml http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2011-4862 http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc --- Geoff McDonald Threat Analyst Symantec Corporation