Date: Mon, 6 May 2002 13:47:54 -0600 From: "Dalin S. Owen" <dowen@pstis.com> To: security@freebsd.org Subject: Re: Telnet Exploit Message-ID: <200205061347.54915.dowen@pstis.com> In-Reply-To: <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com> References: <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On May 6, 2002 01:37 pm, SolarfluX wrote: > Why in the world are you using telnetd anyhow? You should be using SSH= D > and never telnetd. Telnetd should be 'forbidden'... So if we are going to do away with telnetd, we should scrap FTP and SMTP=20 then.. as they are garbage protocols. We can not have that attitude. Why do you think FreeBSD still ships with= =20 rlogin? To maintain backward compatibility with older systems. > > I think I just got hit with a telent exploit. I noticed some network > > activity on my cable modem, Logged in my gateway ran 'w' no one else = but > > > > ran 'top' I had telned running, in my security logs I found this: > > > > May 5 16:27:45 cx17105-b /kernel: ipfw: 4000 Accept TCP > > 211.234.111.226:58981 68**.**.**:23 in via ep0 > > May 5 16:27:46 cx17105-b /kernel: ipfw: 4000 Accept TCP > > 211.234.111.226:59085 68.**.**.**:23 in via ep0 > > May 5 16:27:47 cx17105-b /kernel: ipfw: 4000 Accept TCP > > 211.234.111.226:59086 **.**.**:23 in via ep0 > > > > Im running stable what gives???? The worst part was I only had Telnet > > enabled for 3 hours.... > > > > $uname -a > > FreeBSD cx17105-b 4.5-STABLE FreeBSD 4.5-STABLE #2: Mon Apr 8 20:07:= 25 > > PDT 2002 root@cx17105-b:/usr/obj/usr/src/sys/SPUD i386 > > > > Thanks, > > Dylan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message If you running 4.5-STABLE, you shouln't have anything to worry about... = those=20 logs look like the result of a "ipfw log allow tcp from any to any 23 set= up"=20 or similer command. You are probably fine. But if you are truely paranoid: Try running "sockstat" see if there is=20 anything bound to a socket that you did not put there. Check your firew= all=20 (if you have one). Did you have any sort of filesystem integrity toolkit=20 installed like tripwire or aide? Try running that.. look in /tmp for roo= tkit=20 remains.. we need more information then messages/dmesg/etc. Cya, Dalin Owen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205061347.54915.dowen>