A new Solaris worm using the recent Telnet vulnerability seems to have been found in the wild:
This morning on ATLAS we saw a pair of hosts scanning for Telnet servers. While this may seem like a throwback to days gone by, and maybe someone is starting from scratch in their exploit activity, this is related to a recent Solaris bug, specifically CVE-2007-0882 (the telnet “-froot” bug). Two boxes in the same subnet scanning for it and hitting ATLAS; reports from another site indicate another box on that same subnet scanning them.
Last night a team member found what appears to a Sun Solaris telnet worm using this vulnerability.
Read it all at the Arbor Security Blog.
According to SANS, there is a spike in port tcp/23 scans.
UPDATE 1-Mar-2007: Symantec’s report on the issue and a write-up on the Solaris.Wanuk.Worm. The spread of the worm seems to be quite limited. After all not many Solaris boxes have telnet ports accesible from the Internet.
1 Response to “Solaris worm based on Telnet vulnerability?”
Leave a Reply