Threat Level: green Handler on Duty: Kevin Liston

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Request for Packets: Port 15454

Published: 2018-07-18
Last Updated: 2018-07-18 18:52:01 UTC
by Kevin Liston (Version: 2)
0 comment(s)

Starting 12-JUL-2018 the number of DShield participants reporting probes for port 15454 started to rise.  It popped up on the experimental trends report (https://isc.sans.edu/trends.html) yesterday.  Fellow handler Richard Porter thought it sounded like a "debugger port for an App" and after a quick jaunt to The Googles he returned with an old report that this port opens up when the Clound9 IDE is doing its thing. (Source: https://stackoverflow.com/questions/39007572/cloud9-debugger-listening-on-port-15454)

We're curious if that initial guess is correct or not.  Are you seeing this as well?  Any pattern to the source or interesting tool marks.  Or better yet: Got Packets?

If so, hits us up on the contact form: https://isc.sans.edu/contact

 

UPDATE:

Looking at my own sensors, I see one source 185.208.208.198.  It was looking for ports in the 15000 range.  So looking at the DSHield logs for port 15453 port 15455  port 15456 around 15454 you see a similar uptick.  IN additon to the 15000 ports it was also hitting 22.

Keywords: 15454
0 comment(s)

Oracle Critical Patch Update Release

Published: 2018-07-17
Last Updated: 2018-07-18 02:38:21 UTC
by Scott Fendley (Version: 1)
0 comment(s)

Oracle released their quarterly critical patch update today.  This patch addresses a record number of 334 vulnerabilities across a wide set of Oracle supported products.

Vulnerabilities in Weblogic, Oracle Spatial, and Oracle Fusion Middleware MapViewer are rated with CVSS scores of 9.8.  Deserialization based attacks within Weblogic server has been used as attack vectors in the past year, and used to install crypto miner campaigns.  It is likely that these types of campaigns will continue for the forseeable future.

We recommend the review of the full CPU release to identify impacted software packages within your organization, and make plans to address those that create the largest risk.  The full bulletin is available at Oracle at the URL http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html .

 

Scott Fendley ISC Handler

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Oracle Critical Patch Update Release
Jul 18th 2018
23 hours ago by ScottF (0 comments)

Searching for Geographically Improbable Login Attempts
Jul 17th 2018
1 day ago by Xme (5 comments)

Extracting BTC addresses from emails
Jul 16th 2018
3 days ago by DidierStevens (0 comments)

Video: Retrieving and processing JSON data (BTC example)
Jul 15th 2018
3 days ago by DidierStevens (1 comment)

Retrieving and processing JSON data (BTC example)
Jul 14th 2018
4 days ago by DidierStevens (0 comments)

Cryptominer Delivered Though Compromized JavaScript File
Jul 13th 2018
5 days ago by Xme (0 comments)

New Extortion Tricks: Now Including Your Password!
Jul 12th 2018
6 days ago by Johannes (5 comments)

View All Diaries →

Latest Discussions

Windows Long File Path
created Jul 18th 2018
11 hours ago by Anonymous (0 replies)

Botnet brute forcing mail accounts?
created Jun 22nd 2018
3 weeks ago by Anonymous (0 replies)

Simple SMTP/network routing questions
created Jun 14th 2018
1 month ago by Anonymous (0 replies)

HTTP Headers Illicit Characters
created Jun 13th 2018
1 month ago by David (2 replies)

NagiosXI 5.2.6 – 5.4.12 unauthenticated exploit chain leads to root access
created May 11th 2018
2 months ago by Remco (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
1 year ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
11 months ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
7 months ago by Russ McRee (2 comments)

Maldoc with auto-updated link
Aug 17th 2017
11 months ago by Xme (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
10 months ago by Renato (0 comments)