Threat Level: green Handler on Duty: Russ McRee

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-07-22 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Port 1433 TCP scanning is up!; Firefox 1.0.6 available - Critical Update; MySQL patches zlib remote vuln; Glitch in The Matrix - Port 2100; One RingTone to Rule Them All?; SlimFTPd vuln PoC released;

Published: 2005-07-22
Last Updated: 2005-07-22 23:26:57 UTC
by Patrick Nolan (Version: 1)
0 comment(s)

Firefox 1.0.6 available - Critical Update

Shane Castle just sent a note to us that Firefox 1.0.6 is out. Thanks Shane!


And contributor Don Thornton sent us the following information - "Firefox 1.0.6 is a stability fix, not a security fix. It's marked critical because of the number of problems reported using 1.0.5. According to the release notes at
the only thing changed in this version was to "Restore API compatibility for extensions and web applications that did not work in Firefox 1.0.5." Thanks Don!

MySQL patches zlib remote vuln

MySQL Vendor Information



Security improvement: Applied a patch that addresses a zlib data vulnerability that could result in a buffer
overflow and code execution. (CAN-2005-2096) (Bug #11844)

Secunia Advisory: SA16170
Release Date: 2005-07-22
Highly critical
Impact: DoS
System access
Where: From remote

Solution Status: Vendor Patch
Software: MySQL 4.x

Glitches in The Matrix

Port 1433 TCP scanning is approaching record highs.

Port 2100 (Oracle XDB) scanning has been seen spiking/increasing at DShield, REN-ISAC and the MyNetWatchman reporting sites.

Port 3001 is rising too.

Please participate and submit any unusual activity or captures! Thanks!

One RingTone to Rule Them All?

MobileATM application concerns.

John Leyden has another interesting Register article -
- that covers British Bank deployment plans for MobileATM and discusses a security consulting firm's experience testing similar mobile-phone application security.

The security consulting firm bases it's "warning on tests of other mobile Java applications on behalf of several clients in the mobile gambling market rather than on the MobileATM service, which it hasn't tested. Ken Munro, managing director of SecureTest, said the comparison is appropriate because the same type of technology and distribution methods are applied in both cases."

I note here that my use of "RingTones" as a title is editorial license, there is no connection between RingTones and the security issues covered in the article, yet ...

PoC has been released for the SlimFTPd Multiple Commands Remote Buffer Overflow Vulnerability

- "have buffer overflow vulnerabilities that could potentially lead to remote code execution. The exploits are only possible if the remote user can successfully log in. Users are advised to upgrade to SlimFTPd 3.17 immediately!"

Vuln Announcement at FrSIRT -

New Spam Details

Eric Conrad, Jim Slora, and an anonymous contrubitor sent information about new spam they're seeing at their networks today. The spam has the following characteristics;

"The Subject line is merely "1", the forged mailfrom is approximately the first 8 characters of the target address plus a forged domain. There is an attachment called "1.txt" and a message text body that begins on a new line "ICA=" plus three characters, the first one of which may be low-bit ASCII and the second two are low-bit or high-bit.

The sources include zombie networks, normal mail servers, and bounced messages from normal servers."

Thanks for the analysis and submissions folks!

Patrick Nolan
Keywords:
0 comment(s)
Diary Archives