From owner-freebsd-security  Mon May  6 16: 8:56 2002
Delivered-To: freebsd-security@freebsd.org
Received: from fed1mtao04.cox.net (fed1mtao04.cox.net [68.6.19.241])
	by hub.freebsd.org (Postfix) with ESMTP id 3AB6237B404
	for <security@freebsd.org>; Mon,  6 May 2002 16:08:53 -0700 (PDT)
Received: from ocnetworking.com ([68.4.231.87]) by fed1mtao04.cox.net
          (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with ESMTP
          id <20020506230853.ELUI26656.fed1mtao04.cox.net@ocnetworking.com>
          for <security@freebsd.org>; Mon, 6 May 2002 19:08:53 -0400
Message-ID: <3CD70D86.872C3337@ocnetworking.com>
Date: Mon, 06 May 2002 16:11:02 -0700
From: "Dylan A. Reinhold" <Dylan@ocnetworking.com>
Organization: InterNetworking http://www.ocnetworking.com
X-Mailer: Mozilla 4.79 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: security@freebsd.org
Subject: Re: Telent Exploit
References: <3CD6D3A2.1CC77A9B@ocnetworking.com> <20020506132502.D59402@xor.obsecurity.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Kris Kennaway wrote:

> On Mon, May 06, 2002 at 12:04:02PM -0700, Dylan A. Reinhold wrote:
> > I think I just got hit with a telent exploit. I noticed some network
> > activity on my cable modem, Logged in my gateway ran 'w' no one else but
> >-------------SNIP ---------------SNIP----------------->>>>>>>>>>>>>>>

>
> > Im running stable what gives???? The worst part was I only had Telnet
> > enabled for 3 hours....
>
> Why do you think you were exploited?  The above only shows people
> connecting to the port.  If you don't want people doing that, don't
> allow them to.
>
> Kris

When I saw the network activity and ran top, 'telnetd' was running something
like 18% of the CPU with no visible users from 'who'. So I killed the telnetd
pid, and all the traffic stopped. Then I looked at the security log the last
entry was 15 minutes from when I killed 'telnetd'.

Thanks,
Dylan


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message