US-CERT:
> http://www.us-cert.gov/current/#sunwrmexinet
updated March 1, 2007
Solaris.Wanukdoor
- http://www.symantec.com/security_res...202-99&tabid=3
Updated: March 1, 2007
Also Known As: SunOS/Wanukdoor [McAfee]
Type: Trojan
"...Once the threat attacks a computer, it is difficult to determine what else the computer has been exposed to. In most cases, changes other than those made by the threat will not have occurred. However, the author of the threat may have been able to use the threat to access the computer to make changes to it. Unless you can be absolutely sure that malicious activity has not been performed on the computer, we recommend completely reinstalling the operating system."
More...
- http://www.symantec.com/enterprise/s...lnet_worm.html
February 28, 2007 ~ "Soon after information was released about a vulnerability in the in.telnetd daemon in Solaris 10, Symantec's Deepsight monitoring system began to see spikes in port 23 traffic. Most of this traffic was due to people scanning for vulnerable systems. However, yesterday we saw a renewed spike in traffic that has been correlated to a worm known as Wanuk, which uses the vulnerability to spread... Once Wanuk is on the system, it drops an executable that creates a /bin/sh back door, which listens on port 32982/TCP. In addition, Wanuk's payload includes sending out system broadcast messages of creatively designed shout-outs to a variety of security researchers... This will only happen one-third of the time at noon on the 13th of the month if the threat starts between 1 am and 5 am. Those affected should ensure they have patched or disabled telnet as a workaround..."
(Graphics available at the URL above.)
> http://isc.sans.org/port.html?port=23