Thursday, March 1, 2007

Solaris Telnet Worm

A couple of weeks ago in our first blog post we mentioned a vulnerability in Sun's telnet service that would easily allow a hacker to gain full control of a system running an unpatched version of telnet. A couple of days ago we were made aware of a worm exploiting this vulnerability. We're not worried for the following reasons:

1) We expect the number of people still running publicly available telnet servers to be quite low. And the number of people running publicly available telnet servers on the Solaris platform even lower.

2) Solaris administrators tend to be more aware of security patches than your typical Windows user, so with two weeks between Sun's patch release and the worm, we expect most vulnerable systems are updated.

3) Most IPS systems should have signatures for the exploit by now.

The media has got wind of the story and is starting to make some noise about the big bad worm. So far it seems to be pretty harmless:

DShield.org collects firewall logs from about 20,000 firewalls around the world. They crunch this data and plot charts that are pretty interesting. Port 23 is the telnet service and this is the chart as of this morning:



As you can see, the number of target machines (machines that have been scanned for an open telnet service) has increased quite a lot, but the number of source machines (machines attempting the scans and possibly infected with a worm) has held steady at about 500 per day, with the exception of a quick spike right after the vulnerability was announced and before the worm (or worms) hit the scene.

But just in case we're wrong and one of these worm takes off, we'll repeat ourselves: firewall port 23, disable the telnet service (use ssh instead), and patch your machines.

[Note from the sponsor: eSoft's Intrusion Prevention Softpak has protected customers from the Solaris telnet exploit since the announcement of the exploit.]

No comments: