Re: telnet connection in LISTEN mode

From: Bojan Zdravkovic (bzdravko@siac.com)
Date: 10/09/01


From: "Bojan Zdravkovic" <bzdravko@siac.com>
To: focus-sun@securityfocus.com
Message-ID: <85256ADF.00816853.00@nsmtp1.nsmtp.siac.com>
Date: Mon, 8 Oct 2001 19:41:12 -0400
Subject: Re: telnet connection in LISTEN mode


Hi there Lisa!

Diagnosing what caused this is like shooting a fly in space with a bullet. But
here's my shot at it:

From a technical aspect, this looks like a result of an attempt at
inappropriately locking (mutex_enter) the telnet thread without data flow (Swind
0) .
From a malicious cracker ("terrorist") aspect, this could be an attempt to
inject code causing havoc gone wrong.

I haven't had the pleasure to examine the bsd-based telnetd vulnerability
(exploit) so let your security officer take a look at some proof of concept
codes out there and formulate a conclusion in regards to this.

This probably resulted in some core files, so I'd save them and pass them onto a
good forensics team or skilled programmers so they can tell you what exactly
happened by examining them. But be careful with corefile generosity as they
might reveal the darks of your system.

Good luck! And keep up with the patches!

-Bojan

Lisa Weihl <lweihl@cs.bgsu.edu> on 10/05/2001 03:32:55 PM

To: focus-sun@securityfocus.com
cc: (bcc: Bojan Zdravkovic/SIAC)
Subject: telnet connection in LISTEN mode

I've had a strange occurence on 5 of my Unix workstations/servers and was
hoping someone here might have an explanation. Both my security officer
and a Unix admin with more experience than me weren't quite sure what it meant.

On those 3 machines a netstat -a revealed the following line repeated 3 times:

mylocalhost.telnet steve3.demon.co.uk.someportno 0 0 8855 0
   LISTEN

Running lsof and ps -ef shows no strange processes running. Suspicious but
unsure exactly what was going on I checked with my security officer to see
what he thought and then I rebooted. I've been able to reboot 3 of the
boxes and each one paniced with a recursive mutex_enter error. The system
was unable to sync filesystems, gave up and rebooted. / and /usr
filesystems reported incorrect free block counts and fsck fixed them. The
systems are back up and running. BTW, the systems are running Solaris 2.6
but haven't had recommended patches applied since Jan.

Can anyone help me explain what happened here? Did I get hit with some
kind of vulnerability? Our University has been getting hit with regular
scans so if there is something recent out there I may have been hit.

TIA for the help.
**********************************************************************************

Lisa Weihl, System Administrator E-mail: lweihl@cs.bgsu.edu
Department of Computer Science Office: Hayes 225
Bowling Green State University Phone: (419) 372-0116
Bowling Green, Ohio 43403-0214 Fax: (419) 372-8061