Request for Help, OOB Chat Room Keeps London Working During Attack

Published: 2005-07-09
Last Updated: 2006-01-09 13:18:54 UTC
by Dave Brookshire (Version: 1)
0 comment(s)
Good morning!


Request for Help



This morning the Handlers received a note from Ian Tomkinson that he had detected the following in their web server access logs. It caught his attention because of the "ISC.SANS.DFind" string--probably an attempt to make the traffic look legitimate.



xxx.xxx.xxx.xxx - - [08/Jul/2005:18:51:35 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:)
HTTP/1.1" 400 320 "-" "-"


This hit was followed up by a scan for phpmyadmin, using a tool called "PMAFind"


Please review your web server logs for anything with this string in it. Should you find a hit, please submit a copy of the log excerpt to http://isc.sans.org/contact.php

Update: see http://isc.sans.org/diary.php?storyid=900

Thanks!

Internet Chat Room Keeps London Trading Alive During Attack



This story caught my attention yesterday, while reading some of the coverage of the bombing attacks in London. The details are itself are simplified a bit, but the gist of it is this: many financial (and I'm sure other) institutions were able to continue operating during the crisis last week through the use of what I'd call out-of-band communications mechanisms, including websites and chat rooms, setup as a response to the terror attacks of 911. It also talks about the improved contingency planning that has occured because of the same.

One of the true stories behind these terrible events is certainly how well infrastructure bits have held up.

Food for thought: do you have any out-of-band mechanisms in case some of your major systems fail? Even something simple as a published e-mail address not hosted on your own systems may be useful. Perhaps a Jabber server, or an IRC chat room somewhere?

http://www.alertnet.org/thenews/newsdesk/L08557431.htm
-------------------------




Dave Brookshire

SANS ISC Handler-on-Duty
Keywords:
0 comment(s)

Comments


Diary Archives