After all the noise about Code Red, here comes a new one, this time aimed at BSD (Only?) I thought you guys (and Gals) might like to be informed! ===================================================================== Telnet Worm X.c --------------- http://www.nipc.gov/warnings/assessments/2001/01-019.htm NIPC has released an advisory concerning a worm that propagates via a buffer overflow vulnerability in BSD-derived telnet daemons. This vulnerability was discovered by TESO security and is described in a July 24 CERT advisory: http://www.cert.org/advisories/CA-2001-21.html Handler's Diary coverage of the vulnerability is here: http://www.incidents.org/diary/july2001.php#241 The worm code was recovered a couple of weeks ago. However DShield has not recorded any significant levels of telnet activity suggesting that the worm is actively propagating in the wild. The table below shows statistics for the telnet port recorded over the past month by DShield. The last column gives the number of unique sources reported as sending at least one telnet probe on the date indicated. Date #Probes #Sources ---------- ------ ------ 2001-07-30 209 39 2001-07-31 547 40 2001-08-01 559 33 2001-08-02 649 43 2001-08-03 783 45 2001-08-04 472 44 2001-08-05 1005 39 2001-08-06 979 42 2001-08-07 227 27 2001-08-08 1725 54 2001-08-09 281 28 2001-08-10 2312 64 2001-08-11 517 35 2001-08-12 103 37 2001-08-13 660 44 2001-08-14 3436 36 2001-08-15 156 30 2001-08-16 2208 46 2001-08-17 490 48 2001-08-18 371 45 2001-08-19 2081 45 2001-08-20 675 46 2001-08-21 860 33 2001-08-22 1049 15 2001-08-23 540 26 2001-08-24 364 31 2001-08-25 1304 32 2001-08-26 459 42 2001-08-27 1171 31 2001-08-28 381 42 2001-08-29 1147 47 2001-08-30 137 28 2001-08-31 3496 23 The telnet worm configures compromised hosts to serve a root shell from port 145/tcp, and scans random IP addresses on the telnet port in order to find new victims. William Stearns has created a tool which will detect the x.c worm and remove it from infected systems. The tool may be found here: http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/xcfind.htm Dartmouth's main page, which offers additional worm detection and removal tools, is here: http://www.ists.dartmouth.edu/IRIA/knowledge_base/index.htm SK -- SedeComp Comunicaciones Internet Solutions MandrakeSoft's VAR and System Integrator mailto:[EMAIL PROTECTED] OpenPGP key available on:http://www.keyserver.net/en/ |--------------------------------------------------------------| Current Linux kernel 2.4.8-12mdk uptime: 1 day 1 hour 5 minutes.
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
