From owner-freebsd-security Mon May 6 12:52:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from balistraria.nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by hub.freebsd.org (Postfix) with SMTP id 3715A37B407 for ; Mon, 6 May 2002 12:52:02 -0700 (PDT) Received: (qmail 17300 invoked from network); 6 May 2002 19:51:56 -0000 Received: from unknown (HELO h410g3n.localnet) (204.209.140.10) by 0 with SMTP; 6 May 2002 19:51:56 -0000 Content-Type: text/plain; charset="iso-8859-1" From: "Dalin S. Owen" Reply-To: dowen@pstis.com Organization: Nexus XI Corp. To: security@freebsd.org Subject: Re: Telnet Exploit Date: Mon, 6 May 2002 13:47:54 -0600 X-Mailer: KMail [version 1.4] References: <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com> In-Reply-To: <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200205061347.54915.dowen@pstis.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On May 6, 2002 01:37 pm, SolarfluX wrote: > Why in the world are you using telnetd anyhow? You should be using SSH= D > and never telnetd. Telnetd should be 'forbidden'... So if we are going to do away with telnetd, we should scrap FTP and SMTP=20 then.. as they are garbage protocols. We can not have that attitude. Why do you think FreeBSD still ships with= =20 rlogin? To maintain backward compatibility with older systems. > > I think I just got hit with a telent exploit. I noticed some network > > activity on my cable modem, Logged in my gateway ran 'w' no one else = but > > > > ran 'top' I had telned running, in my security logs I found this: > > > > May 5 16:27:45 cx17105-b /kernel: ipfw: 4000 Accept TCP > > 211.234.111.226:58981 68**.**.**:23 in via ep0 > > May 5 16:27:46 cx17105-b /kernel: ipfw: 4000 Accept TCP > > 211.234.111.226:59085 68.**.**.**:23 in via ep0 > > May 5 16:27:47 cx17105-b /kernel: ipfw: 4000 Accept TCP > > 211.234.111.226:59086 **.**.**:23 in via ep0 > > > > Im running stable what gives???? The worst part was I only had Telnet > > enabled for 3 hours.... > > > > $uname -a > > FreeBSD cx17105-b 4.5-STABLE FreeBSD 4.5-STABLE #2: Mon Apr 8 20:07:= 25 > > PDT 2002 root@cx17105-b:/usr/obj/usr/src/sys/SPUD i386 > > > > Thanks, > > Dylan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message If you running 4.5-STABLE, you shouln't have anything to worry about... = those=20 logs look like the result of a "ipfw log allow tcp from any to any 23 set= up"=20 or similer command. You are probably fine. But if you are truely paranoid: Try running "sockstat" see if there is=20 anything bound to a socket that you did not put there. Check your firew= all=20 (if you have one). Did you have any sort of filesystem integrity toolkit=20 installed like tripwire or aide? Try running that.. look in /tmp for roo= tkit=20 remains.. we need more information then messages/dmesg/etc. Cya, Dalin Owen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message