Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-05-06 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

/ Reading Logs / More Phishing / TCP 135, Welchia and Lovgate / Sasser slowing / Egress Filtering and You /

Published: 2004-05-06
Last Updated: 2004-05-07 03:45:13 UTC
by Chris Carboni (Version: 1)
0 comment(s)
Reading Your Logs Pays Off

Chas Tomlin, a sysadmin and programmer for the University of Southampton noticed some odd entries in his web logs and forwarded it to the ISC for analysis. Examination showed that an attack based on the do_brk exploit ( http://secunia.com/advisories/10328/ ) was attempted and failed. Systems shown to be vulnerable to this attack have the following kernels:

2.4.20-18.9 as shipped with RedHat 9.0

2.4.22 (vanilla)

2.4.22 with grsecurity patch

Please make sure your systems are patched and/or upgraded as needed.

Another eBay Phishing Scam

Anthony Congiano a helpdesk administrator alerted the ISC earlier today to another attempt at Phishing information from eBay users. The e-mail in question tells the recipient that their account has been used "to make fake bids" and "you are required to verify your eBay account by following the link below." The scam is designed to collect E-Bay member names, user names, passwords and credit card information. eBay, and the web host have been notified.

Port 135 Spikes, Lovgate and Welchia

The traffic pattern on port 135(TCP) noted in yesterday's diary entry continues today but appears to have diminished in intensity. Packet captures in affected areas have shown an RPC DCOM attack which is one of the vectors for infection for the new Lovgate and Welchia variants identified yesterday. There are additional methods of infection for both worms.

Fixes for vulnerabilities exploited by Welchia and Lovgate have been made available in 2003. Multiple worms and bots are currently scanning for these vulnerabilities.

Lovgate

McAfee: http://vil.nai.com/vil/content/v_101157.htm

Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/w32.lovgate.r@mm.html
Welchia

Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NACHI.K
Sasser

Sasser also seems to be slowing down as systems are patched and anti-virus updates are applied. For some interesting reading on Sasser's effects, look at these pages:
http://www.foxnews.com/story/0,2933,118959,00.html

http://news.bbc.co.uk/2/hi/technology/3682537.stm
Further Reading

If you are not familiar with egress filtering, take a look at SANS instructor Chris Brenton's paper on the subject at:
http://www.sans.org/rr/papers/index.php?id=1059
and find out how you can make your network less appealing to would-be attackers.

-------

Chris Carboni - chris.carboni_at_verizon.net
Keywords:
0 comment(s)
Diary Archives