Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

IT Help for Katrina victims; More Katrina Malware; Gas shortage hoax e-mail; MS05-043 exploits in the wild?; Scanning for old Cisco vulnerabilities

Published: 2005-09-02
Last Updated: 2005-09-03 00:23:01 UTC
by Jim Clausing (Version: 1)
0 comment(s)

IT Help For Katrina victims

We did get requests from a number of people who would like to help any way they can. If you know of any web sites where people can offer help, or ask for help, let us know. We will setup a page with links to various sites. If you are in need of IT assistance, or if you would like to provide some, let us know and we will try to match up helpers and people in need. FEMA has a listing of organizations that accept cash donations as well as materials/volunteer contributions: http://www.fema.gov/press/2005/katrinadonations.shtm . UPDATE: (23:25 UTC) One organization that we've been made aware of that is in need of people with technical skills is part-15.org. They are apparently coordinating the FCC/FEMA efforts to reconstruct the communications infrastructure in the disaster area. They have a need for systems integrators and network engineers, see http://www.part-15.org/emergencyrelief/katrina.html Another one that we've been made aware of that is coordinating relief activity for educational institutions (not limited to technical/IT) is Educause.
END UPDATE Our handler Kevin notes: "For those that are action oriented, contact your local chapter of the American Red Cross (use the "find your local chapter feature" here: http://www.redcross.org/services/disaster ) and talk to their volunteer services coordinator. They will enter you into their training program (I know that a lot are accelerating the training for national responders now.) There is plenty of geek-work to be had setting up the communications network to link LANs, wireless, satellite, VoIP, etc. Just be willing to give them three weeks of your life." Do not travel to the disaster area without coordinating with one of the relief agencies first! See http://www.fema.gov and http://www.redcross.org for information on making donations/volunteering. UPDATE: (17:20 UTC) We received several notes about e-mail purportedly from the American Red Cross, but pointing to arc.convio.net possibly being a scam, this is not the case. They (Convio) are handling online donations for the Red Cross, though they apparently had some problems yesterday. We also received a note from Mike in the InfoSec group at the American Red Cross, asking that any e-mail or web sites that look like they might be scams trying to use the Red Cross name, be forwarded to infosec@usa.redcross.com.
END UPDATE

More Katrina Malware

The latest malware spotted uses the subject line: "Is Government Reaction to Katrina Because of Loss of Life, or Loss of Property?". A link in the email will lead to the malware.

Gas shortage hoax e-mail

There is a hoax e-mail making the rounds about a gas shortage. Don't run out and create a shortage. And now, we have reports from one of our readers (thanx, Rikki) who is seeing e-mails about a gas shortage floating around. The facts are, yes, there have been gas stations that have run out of gasoline. That is mostly because people have flocked to them to fill up fearing a shortage (can you say self-fulfilling prophecy?). Yes, some refining capacity in the US has been impacted by the hurricane, but we won't know the impact of that for some time yet. In the meantime, there is gasoline available in the US, and stations are still getting deliveries. Yes, the prices have gone up and conserving would be a good idea, but there is no evidence of an imminent widespread shortage outside of the areas that suffered direct infrastructure damage earlier this week. Remain calm.

MS05-043 exploit in the wild?

We are hearing about possible exploits to the vulnerability described in MS05-043 (the print spooler service) in the wild. If anyone has captures of such a beast, plesae share it with our malware group. In any event, since Microsoft rated this vulnerability as a critical, I hope everyone is patched by now (a guy can dream can't he?).

Scanning for old Cisco vulnerabilities

We started hearing reports last week of machines scanning web servers looking for an odd URL. The GET request is

    GET /level/16/exec/-///pwd  HTTP/1.0

This scanning is apparently picking up steam. We're not sure exactly why this is increasing since this exploit is for a Cisco vulnerability from 2001, so hopefully, most routers out there have long since been patched against this one (and a number of others that have come after). Also, our usual advice for practicing defense-in-depth suggests that, a) if you don't use the http management feature of the router, turn it off; and b) if you do use it, it should only be accessible from a protected management network.

Happy Labor Day

For those of you in the US, I hope you have a happy, uneventful holiday weekend.
-----------------
Jim Clausing (with mucho help from the other handlers, thanx gang)
Chief Bot Herder
Keywords:
0 comment(s)
Diary Archives