Incidents
Re: Increased activity on port 110 Feb 27 2007 07:29AM
joakim berge gmail com (1 replies)
Anybody recognize this Solaris compromise? Apr 13 2007 06:46PM
David Gillett (gillettdavid fhda edu) (2 replies)
Re: Anybody recognize this Solaris compromise? Apr 13 2007 09:30PM
Axel Pettinger (api worldonline de)
David Gillett wrote:
>
> I've got a Solaris machine on my network that has acquired
> an unauthorized behaviour of unknown origin. Every night,
> from 1:10:30am until 6:00:30am, it tries to establish outbound
> telnet connections to addresses all over the Internet.

"Telnet" and "01:10am", this looks like the following worm:

Solaris Telnet Scanning ? Possible Worm?
http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-
worm/

Solaris Telnet Worm
http://www.symantec.com/enterprise/security_response/weblog/2007/02/sola
ris_telnet_worm.html

Security Vulnerability in the in.telnetd(1M) Daemon May Allow Unauthorized Remote Users to Gain Access to a Solaris Host
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1

Solaris.Wanuk.Worm
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2
007-022810-3637-99

Solaris.Wanukdoor
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2
007-022810-0202-99

SunOS/Wanukdoor
http://vil.nai.com/vil/content/v_141604.htm

Regards,
Axel Pettinger

------------------------------------------------------------------------
-
This list sponsored by: SPI Dynamics

ALERT: "How a Hacker Launches a SQL Injection Attack!"-
SPI Dynamics White Paper
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems!
Firewalls and IDS will not stop such attacks because SQL Injections are
NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics
for a complete guide to protection!

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CiN
E
------------------------------------------------------------------------
--

[ reply ]
Re: Anybody recognize this Solaris compromise? Apr 13 2007 08:50PM
Jamie Riden (jamie riden gmail com) (2 replies)
Re: Anybody recognize this Solaris compromise? Apr 13 2007 09:43PM
Tim (tim-forensics sentinelchicken org)
Re: Anybody recognize this Solaris compromise? Apr 13 2007 09:42PM
Matthew T. Fata (matt credibleinstitution org)


 

Privacy Statement
Copyright 2010, SecurityFocus