It isn't expected to become a monster like Windows-based malware of
the past, but security experts say an apparent worm exploiting a
recently patched Sun Solaris flaw serves as another reminder to
disable Telnet.
Sun Microsystems Inc.
patched a design flaw in the Telnet daemon of its Solaris 10
and 11 operating systems two weeks ago that
attackers could exploit for unauthenticated remote root
logins.
Tuesday, researchers at Lexington, Mass.-based Arbor Networks
Inc. began to detect hosts scanning for Telnet servers.
"A team member found what appears to a Sun Solaris Telnet worm,"
Jose Nazario, senior security engineer for Arbor Networks, wrote in
the company's
blog. "While this may seem like a throwback to days gone by,
and maybe someone is starting from scratch in their exploit
activity, this is related to [the] recent Solaris bug."
 | | | | | In my opinion nobody should be
running Telnet open to the Internet.
Donald Smith
SANS ISC |
| | | | | |
| |
|
The worm attempts to log in to targeted systems as the user's "lp"
or "adm" and "execute a bunch of shell commands to set up shop and
keep on truckin'," he said. "[It's] very old school."
But, he added, so is Telnet.
"If you haven't patched yet, you should," he said. "Better yet,
just disable Telnet. It's 2007, after all."
Joel Esler, a volunteer handler at the Bethesda, Md.-based SANS
Internet Storm Center (ISC), wrote on the organization's
Web site
that a IP address range in France appeared to be scanning around
for Port 23.
"We checked our data here at the Storm Center and it appears we
have similar traffic from the same net ranges," Esler said. This,
he added, would appear to back up Arbor Networks' conclusion that a
Solaris worm is making the rounds.
For many security experts, the flaw and subsequent exploit serve
as a stark reminder that
Telnet is easy pickings for the bad guys and should not be used
anymore.
The protocol allows virtual network terminals to be connected
over the Internet and is incorporated into a variety of popular
operating systems, from Sun Solaris and Red Hat Inc.'s Enterprise
Linux to Apple Computer Corp.'s Mac OS X. It has long been
considered a security risk because user names, passwords and all
subsequent commands are transmitted as easily exploitable
plaintext.
"In my opinion nobody should be running Telnet open to the
Internet," Donald Smith, another volunteer handler at the ISC, said
when the Solaris flaw was discovered two weeks ago. He noted that
since 1994, the CERT Software Engineering Institute at
Pennsylvania's Carnegie Mellon University has recommended using
something other than plain text authentication, due to potential
network-monitoring attacks.