The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community. <h2>Systems Compromised Through a Vulnerability in the IRIX telnet daemon</h2> Original release date: Thursday, August 31, 2000<br/> Last revised: Thursday, September 7, 2000<br/> Source: CERT/CC<br/> <p> <h3>Overview</h3> We have received reports of intruder activity involving the telnet daemon on SGI machines running the IRIX operating system. Intruders are actively exploiting a vulnerability in <i>telnetd</i> that is resulting in a remote root compromise of victim machines. <p> Information about the vulnerability we have seen exploited as a part of these attacks can be found at <p> <ul> <li> <a href="ftp://sgigate.sgi.com/security/20000801-01-P">SGI Security Advisory 20000801-01-P</a>, IRIX telnetd vulnerability <li> <a href="http://www.securityfocus.com/bid/1572">http://www.securityfocus.com/bid/1572</a> </li></li></ul> <h3>Description</h3> Reports of successful exploitations of the vulnerability in <i>telnetd</i> have included some or all of the following attack characteristics: <p> <ul> <li>Generation of a syslog message similar to <p> <dl> <dd><pre> overly long syslog message detected, truncating telnetd[xxxxx]: ignored attempt to setenv (_RLD, ^?D^X^\ ^?D^X^^ ^D^P^?^?$^B^Cs#^?^B^T#d~^H#e~^P/d~^P/`~^T#`~^O ^C ^?^?L/bin/sh </pre> </dd></dl> or <dl> <dd><pre> overly long syslog message, integrity compromised, aborting </pre> </dd></dl> <p> <li>Addition of accounts with root privileges to /etc/passwd <p> <li>Remote retrieval and installation of additional intruder tools, including root kits that contain replacements for various system binaries, including <i>telnetd</i> <p> <li>Installation of packet sniffers <p> <li>Installation of irc proxy programs such as <i>bnc</i> </li></p></li></p></li></p></li></p></p></li></ul> <p> <h3>Solutions</h3> <p> <h4>Patch or disable the telnetd service</h4> <p> Patches for this vulnerability have been released by SGI. Sites are encouraged to follow the instructions outlined in the <a href="ftp://sgigate.sgi.com/security/20000801-01-P">SGI advisory</a> for specific instructions on how to obtain the patches. For sites that cannot immediately apply the patches, instructions for disabling the telnet service are also provided. <h4>Restrict access to the telnetd service</h4> <p>Sites can employ the use of access control mechanisms, such as packet filtering, firewalls, or application-layer controls to manage the risk of intrusion on vulnerable systems. <p>As a good security practice in general, the CERT/CC recommends blocking unneeded ports at your network border(s). In particular to this vulnerability, sites should block TCP port 23 (telnet). <p> For sites which this is not feasible, the CERT/CC recommends applying an access control mechanism such as tcp_wrappers or tcpserver for the telnet service. The tcp_wrappers package can be found at <p> <dl><dd> <a href="ftp://ftp.porcupine.org/pub/security/index.html">ftp://ftp.porcupine.org/pub/security/index.html</a> </dd></dl> <p> The ucspi-tcp package, including tcpserver, can be found at <p> <dl><dd> <a href="http://cr.yp.to/ucspi-tcp.html">http://cr.yp.to/ucspi-tcp.html</a> </dd></dl> <p><br/> If you believe a host has been compromised, we encourage you to disconnect the host from the network and review our steps for recovering from a root compromise: <p> <dl> <dd><a href="http://www.cert.org/tech_tips/root_compromise.html"> http://www.cert.org/tech_tips/root_compromise.html</a> </dd></dl> <p> We also encourage you to ensure that your hosts are current with security patches or work-arounds for well-known vulnerabilities and to regularly review security related patches released by your vendors. <p> <b>Author</b>: <a href="mailto:cert@cert.org?subject=IN-2000-09%20Feedback">Chad Dougherty</a><br/> <p><!--#include virtual="/include/footer_nocopyright.html" --> </p> <p>Copyright 2000 Carnegie Mellon University.</p> <p>Revision History <pre> August 31, 2000: Initial Release September 7, 2000: Updated information in solutions section upon SGI's release of patches for this vulnerability, and updated the SGI advisory number. </pre> </p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p></p> |