Re: Anybody recognize this Solaris compromise?

[Axel Pettinger <api () worldonline de>]

David Gillett wrote:
>   I've got a Solaris machine on my network that has acquired
> an unauthorized behaviour of unknown origin.  Every night,
> from 1:10:30am until 6:00:30am, it tries to establish outbound
> telnet connections to addresses all over the Internet.

"Telnet" and "01:10am", this looks like the following worm:

Solaris Telnet Scanning — Possible Worm?
http://asert.arbornetworks.com/2007/02/solaris-telnet-scanning-possible-worm/

Solaris Telnet Worm
http://www.symantec.com/enterprise/security_response/weblog/2007/02/solaris_telnet_worm.html

Security Vulnerability in the in.telnetd(1M) Daemon May Allow Unauthorized Remote Users to Gain Access to a Solaris Host
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102802-1

Solaris.Wanuk.Worm
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-022810-3637-99

Solaris.Wanukdoor
http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-022810-0202-99

SunOS/Wanukdoor
http://vil.nai.com/vil/content/v_141604.htm

Regards,
Axel Pettinger

-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: "How a Hacker Launches a SQL Injection Attack!"- 
SPI Dynamics White Paper 
It's as simple as placing additional SQL commands into a Web Form input 
box giving hackers complete access to all your backend systems! 
Firewalls and IDS will not stop such attacks because SQL Injections are 
NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics 
for a complete guide to protection! 

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CiNE
--------------------------------------------------------------------------