Sun Microsystems Inc. patched a design flaw in the Telnet daemon of its Solaris 10 and 11 operating systems two weeks ago that attackers could exploit for unauthenticated remote root logins.
Tuesday, researchers at Lexington, Mass.-based Arbor Networks Inc. began to detect hosts scanning for Telnet servers.
"A team member found what appears to a Sun Solaris Telnet worm," Jose Nazario, senior security engineer for Arbor Networks, wrote in the company's blog. "While this may seem like a throwback to days gone by, and maybe someone is starting from scratch in their exploit activity, this is related to [the] recent Solaris bug."
But, he added, so is Telnet.
"If you haven't patched yet, you should," he said. "Better yet, just disable Telnet. It's 2007, after all."
Joel Esler, a volunteer handler at the Bethesda, Md.-based SANS Internet Storm Center (ISC), wrote on the organization's Web site that a IP address range in France appeared to be scanning around for Port 23.
"We checked our data here at the Storm Center and it appears we have similar traffic from the same net ranges," Esler said. This, he added, would appear to back up Arbor Networks' conclusion that a Solaris worm is making the rounds.
For many security experts, the flaw and subsequent exploit serve as a stark reminder that Telnet is easy pickings for the bad guys and should not be used anymore.
The protocol allows virtual network terminals to be connected over the Internet and is incorporated into a variety of popular operating systems, from Sun Solaris and Red Hat Inc.'s Enterprise Linux to Apple Computer Corp.'s Mac OS X. It has long been considered a security risk because user names, passwords and all subsequent commands are transmitted as easily exploitable plaintext.
"In my opinion nobody should be running Telnet open to the Internet," Donald Smith, another volunteer handler at the ISC, said when the Solaris flaw was discovered two weeks ago. He noted that since 1994, the CERT Software Engineering Institute at Pennsylvania's Carnegie Mellon University has recommended using something other than plain text authentication, due to potential network-monitoring attacks.