Date: Mon, 6 May 2002 12:37:22 -0700 (PDT) From: SolarfluX <solarflux@ziplip.com> To: security@freebsd.org Subject: Re: Telnet Exploit Message-ID: <135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5@ziplip.com>
next in thread | raw e-mail | index | archive | help
Why in the world are you using telnetd anyhow? You should be using SSHD and never telnetd. Telnetd should be 'forbidden'... Did you log in from the internet to your gateway via telnet during that three hour period? Did you run tcpdump or ssldump (http://www.rtfm.com/ssldump/) to see where the traffic is coming from? Don't jump to conclusions before you acquire some data... -S > -----Original Message----- > From: Dylan A. Reinhold [mailto:Dylan@ocnetworking.com] > Sent: Monday, May 06, 2002, 12:04 PM > To: security@freebsd.org > Subject: Telent Exploit > > I think I just got hit with a telent exploit. I noticed some network > activity on my cable modem, Logged in my gateway ran 'w' no one else but > > ran 'top' I had telned running, in my security logs I found this: > > May 5 16:27:45 cx17105-b /kernel: ipfw: 4000 Accept TCP > 211.234.111.226:58981 68**.**.**:23 in via ep0 > May 5 16:27:46 cx17105-b /kernel: ipfw: 4000 Accept TCP > 211.234.111.226:59085 68.**.**.**:23 in via ep0 > May 5 16:27:47 cx17105-b /kernel: ipfw: 4000 Accept TCP > 211.234.111.226:59086 **.**.**:23 in via ep0 > > Im running stable what gives???? The worst part was I only had Telnet > enabled for 3 hours.... > > $uname -a > FreeBSD cx17105-b 4.5-STABLE FreeBSD 4.5-STABLE #2: Mon Apr 8 20:07:25 > PDT 2002 root@cx17105-b:/usr/obj/usr/src/sys/SPUD i386 > > Thanks, > Dylan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?135YGUD5H2YCVJ3JLY3L2CMBQCXYNOQCEADYX2T5>