From owner-freebsd-security  Mon May  6 13:25:32 2002
Delivered-To: freebsd-security@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-43.dsl.lsan03.pacbell.net [63.207.60.43])
	by hub.freebsd.org (Postfix) with ESMTP id 98D6937B40D
	for <security@freebsd.org>; Mon,  6 May 2002 13:25:03 -0700 (PDT)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 4388966DE0; Mon,  6 May 2002 13:25:03 -0700 (PDT)
Date: Mon, 6 May 2002 13:25:03 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: "Dylan A. Reinhold" <Dylan@ocnetworking.com>
Cc: security@freebsd.org
Subject: Re: Telent Exploit
Message-ID: <20020506132502.D59402@xor.obsecurity.org>
References: <3CD6D3A2.1CC77A9B@ocnetworking.com>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="OROCMA9jn6tkzFBc"
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <3CD6D3A2.1CC77A9B@ocnetworking.com>; from Dylan@ocnetworking.com on Mon, May 06, 2002 at 12:04:02PM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


--OROCMA9jn6tkzFBc
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, May 06, 2002 at 12:04:02PM -0700, Dylan A. Reinhold wrote:
> I think I just got hit with a telent exploit. I noticed some network
> activity on my cable modem, Logged in my gateway ran 'w' no one else but
>=20
> ran 'top' I had telned running, in my security logs I found this:
>=20
> May  5 16:27:45 cx17105-b /kernel: ipfw: 4000 Accept TCP
> 211.234.111.226:58981 68**.**.**:23 in via ep0
> May  5 16:27:46 cx17105-b /kernel: ipfw: 4000 Accept TCP
> 211.234.111.226:59085 68.**.**.**:23 in via ep0
> May  5 16:27:47 cx17105-b /kernel: ipfw: 4000 Accept TCP
> 211.234.111.226:59086 **.**.**:23 in via ep0
>=20
> Im running stable what gives???? The worst part was I only had Telnet
> enabled for 3 hours....

Why do you think you were exploited?  The above only shows people
connecting to the port.  If you don't want people doing that, don't
allow them to.

Kris

--OROCMA9jn6tkzFBc
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE81uaeWry0BWjoQKURAtEhAKC9omgwwxMd0cPhoWdXrBmIIK3QQQCfUVMx
ecOfjLTI1BuR+S/OKExOZvw=
=Z7jP
-----END PGP SIGNATURE-----

--OROCMA9jn6tkzFBc--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message