telnet connection in LISTEN mode

From: Lisa Weihl (lweihl@cs.bgsu.edu)
Date: 10/05/01 

Message-Id: <4.3.2.7.2.20011005152533.00be4b50@mail.cs.bgsu.edu>
Date: Fri, 05 Oct 2001 15:32:55 -0400
To: focus-sun@securityfocus.com
From: Lisa Weihl <lweihl@cs.bgsu.edu>
Subject: telnet connection in LISTEN mode

I've had a strange occurence on 5 of my Unix workstations/servers and was
hoping someone here might have an explanation. Both my security officer
and a Unix admin with more experience than me weren't quite sure what it meant.

On those 3 machines a netstat -a revealed the following line repeated 3 times:

mylocalhost.telnet steve3.demon.co.uk.someportno 0 0 8855 0
   LISTEN

Running lsof and ps -ef shows no strange processes running. Suspicious but
unsure exactly what was going on I checked with my security officer to see
what he thought and then I rebooted. I've been able to reboot 3 of the
boxes and each one paniced with a recursive mutex_enter error. The system
was unable to sync filesystems, gave up and rebooted. / and /usr
filesystems reported incorrect free block counts and fsck fixed them. The
systems are back up and running. BTW, the systems are running Solaris 2.6
but haven't had recommended patches applied since Jan.

Can anyone help me explain what happened here? Did I get hit with some
kind of vulnerability? Our University has been getting hit with regular
scans so if there is something recent out there I may have been hit.

TIA for the help.
**********************************************************************************
Lisa Weihl, System Administrator E-mail: lweihl@cs.bgsu.edu
Department of Computer Science Office: Hayes 225
Bowling Green State University Phone: (419) 372-0116
Bowling Green, Ohio 43403-0214 Fax: (419) 372-8061