From owner-freebsd-security Mon May 6 12:38:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from ziplip.com (mail.ziplip.com [128.242.109.119]) by hub.freebsd.org (Postfix) with ESMTP id A349937B404 for ; Mon, 6 May 2002 12:38:15 -0700 (PDT) Received: from 10.1.0.21 (EHLO 10.1.0.21 10.1.0.21 [10.1.0.21] (may be forged)) by 10.1.0.21 with ESMTP id <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com> for ; 06 May 2002 12:37:22 -0700 (PDT) Message-ID: <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com> Date: Mon, 6 May 2002 12:37:22 -0700 (PDT) From: SolarfluX Reply-To: solarflux@ziplip.com To: security@freebsd.org Subject: Re: Telnet Exploit Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ZLPwdHint: X-ZLExpiry: -1 X-ZLReceiptConfirm: N X-ZLAuthType: WEB-MAIL X-ZLAuthOn: Y X-Mailer: ZipLip Sonoma v3.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Why in the world are you using telnetd anyhow? You should be using SSHD and never telnetd. Telnetd should be 'forbidden'... Did you log in from the internet to your gateway via telnet during that three hour period? Did you run tcpdump or ssldump (http://www.rtfm.com/ssldump/) to see where the traffic is coming from? Don't jump to conclusions before you acquire some data... -S > -----Original Message----- > From: Dylan A. Reinhold [mailto:Dylan@ocnetworking.com] > Sent: Monday, May 06, 2002, 12:04 PM > To: security@freebsd.org > Subject: Telent Exploit > > I think I just got hit with a telent exploit. I noticed some network > activity on my cable modem, Logged in my gateway ran 'w' no one else but > > ran 'top' I had telned running, in my security logs I found this: > > May 5 16:27:45 cx17105-b /kernel: ipfw: 4000 Accept TCP > 211.234.111.226:58981 68**.**.**:23 in via ep0 > May 5 16:27:46 cx17105-b /kernel: ipfw: 4000 Accept TCP > 211.234.111.226:59085 68.**.**.**:23 in via ep0 > May 5 16:27:47 cx17105-b /kernel: ipfw: 4000 Accept TCP > 211.234.111.226:59086 **.**.**:23 in via ep0 > > Im running stable what gives???? The worst part was I only had Telnet > enabled for 3 hours.... > > $uname -a > FreeBSD cx17105-b 4.5-STABLE FreeBSD 4.5-STABLE #2: Mon Apr 8 20:07:25 > PDT 2002 root@cx17105-b:/usr/obj/usr/src/sys/SPUD i386 > > Thanks, > Dylan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message