Date: Mon, 6 May 2002 13:47:54 -0600 From: "Dalin S. Owen" <dowen@pstis.com> To: security@freebsd.org Subject: Re: Telnet Exploit Message-ID: <200205061347.54915.dowen@pstis.com> In-Reply-To: <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com> References: <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com>
index | next in thread | previous in thread | raw e-mail
On May 6, 2002 01:37 pm, SolarfluX wrote: > Why in the world are you using telnetd anyhow? You should be using SSHD > and never telnetd. Telnetd should be 'forbidden'... So if we are going to do away with telnetd, we should scrap FTP and SMTP then.. as they are garbage protocols. We can not have that attitude. Why do you think FreeBSD still ships with rlogin? To maintain backward compatibility with older systems. > > I think I just got hit with a telent exploit. I noticed some network > > activity on my cable modem, Logged in my gateway ran 'w' no one else but > > > > ran 'top' I had telned running, in my security logs I found this: > > > > May 5 16:27:45 cx17105-b /kernel: ipfw: 4000 Accept TCP > > 211.234.111.226:58981 68**.**.**:23 in via ep0 > > May 5 16:27:46 cx17105-b /kernel: ipfw: 4000 Accept TCP > > 211.234.111.226:59085 68.**.**.**:23 in via ep0 > > May 5 16:27:47 cx17105-b /kernel: ipfw: 4000 Accept TCP > > 211.234.111.226:59086 **.**.**:23 in via ep0 > > > > Im running stable what gives???? The worst part was I only had Telnet > > enabled for 3 hours.... > > > > $uname -a > > FreeBSD cx17105-b 4.5-STABLE FreeBSD 4.5-STABLE #2: Mon Apr 8 20:07:25 > > PDT 2002 root@cx17105-b:/usr/obj/usr/src/sys/SPUD i386 > > > > Thanks, > > Dylan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message If you running 4.5-STABLE, you shouln't have anything to worry about... those logs look like the result of a "ipfw log allow tcp from any to any 23 setup" or similer command. You are probably fine. But if you are truely paranoid: Try running "sockstat" see if there is anything bound to a socket that you did not put there. Check your firewall (if you have one). Did you have any sort of filesystem integrity toolkit installed like tripwire or aide? Try running that.. look in /tmp for rootkit remains.. we need more information then messages/dmesg/etc. Cya, Dalin Owen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the messagehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205061347.54915.dowen>