Friday, March 2

Solaris Worm



Okay, so Sun made a whoopsie and committed some code to Login that apparently introduced a vulnerability that existed waaaay back in 1994. (Awesome)

Well it wasn’t long before someone coupled together a shell script and the exploit, packaged it up, and send it flying across the internet.

Now.

1) If you got infected, IMO, it’s your own dumb fault. If you are running Solaris (or ANYTHING) with a publicly facing open port 23 (telnet), you are nuts. Mmmkay?
2) If you didn’t patch or shutoff the vulnerable service when the vulnerability came out. You are just nuts..

Jose Nazario over at Arbor sent this into the Internet Storm Center: this article That outlines it.

If you look at the port graph over at the ISC: Check it out You can see the amount of port 23 scans have shot up.




The thing I want you to pay attention to, is the number of targets shot up to around 50K, but the sources were very very low. An isolated subnet in France. Hmmm..

Anyway, Sun made a “Worm removal script” here that you can use, but lets take a look at it.

The worm creates files in /var/adm and /var/spool/lp called “.profile” -- okay, makes sense.

/var/spool/lp/admins/.lp <-- okay.
/var/adm/sa/.adm <-- okay..

Heres the processes the worm spawns, and how to kill them:

/bin/pkill -9 -u lp 'lpshut|lpsystem|lpadmin|lpmove|lpusers|lpfilter|lpstat|lpd|lpsched|lpc'

/bin/pkill -9 -u adm 'devfsadmd|svcadm|cfgadm|kadmind|zoneadmd|sadm|sysadm|dladm|bootadm|routeadm|uadmin|acctadm|cryptoadm|inetadm|logadm|nlsadmin|sacadm|syseventadmd|ttyadmd|consadmd|metadevadm'

Have fun. While you are at it. get rid of Solaris.

No comments: