xmlrpc.php - Are you patched?
We're seeing increased scanning / exploit attempts against the xmlrpc.php vulnerabilities noted in our June 30th diary. This function library is used in various web-based packages such as PEAR, postnuke, drupal, TikiWiki, and b2evolution. If you aren't patched yet... well... what are you still sitting here reading for?
Keywords:
0 comment(s)
Updated Twiki Snort Sig
This is an update to a snort sig that we posted earlier for the recently announced TWiki vulnerability that allows for remote code execution:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:\
"BLEEDING-EDGE WEB twiki rev access"; flow:to_server,established; \
uricontent:"/TWikiUsers?"; nocase; pcre:"/rev=\d*[^\d\&\n]/Ui"; \
classtype:web-application-activity; reference:url,secunia.com/\
advisories/16820/; sid:2002366; rev:3;)
Note: This is a single line that has been broken to allow for better formatting in the diary. The "\" characters at the end of the lines above show where the line breaks have been added. Many thanks to Joe Esler, Chas Tomlin, Jason Brvenik, and Frank Knobbe (who, coincidentally, ported LaBrea to Win32 before I did...) and all the folks from Bleeding Edge (you guys rock!).
Keywords:
0 comment(s)
New Bagle Making the Rounds?
It looks like there is a new Bagle variant making the rounds. The (preliminary) information that we have is:
- The file arrives as a zipped attachment with a filename including the word "price" (price.zip, price2.zip newprice.zip, 09_price.zip, etc...).
- Creates two files: C:\WINDOWS\system32\winshost.exe and C:\WINDOWS\system32\wiwshost.exe
- Launches winshost.exe from the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key
- This has been classified (by at least one AV vendor) as: TROJ/BAGLEDL-U
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"VIRUS Bagle.CJ SMTP Inbound"; \
flow:to_server,established; content:"UEsDBBQAAAA"; content:"EEkIAAAG"; \
distance:12; within:20; reference:url,isc.sans.org/diary.php?date=2005-09-19; \
classtype: trojan-activity; sid: 15239638; rev:1;)
An alternate snort rule (provided by the folks at Bleeding Edge):
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS Possible \
Bagle.AQ Worm Outbound"; flow: to_server,established; content:"filename="; \
nocase; pcre:"m/(price2|new_price|08_price|09_price|newprice|new_price|price_new|\
price|price_08).zip/"; classtype: trojan-activity; reference:url,\
securityresponse.symantec.com/avcenter/venc/data/w32.beagle.av@mm.html; \
sid: 2001065; rev:6; )
Keywords:
0 comment(s)
Important Clam AV Update
The GPL antivirus toolkit for Unix, Clam AV released version 0.87 late friday afternoon GMT. This update fixes two problems in dealing with packed executables, one which could allow execution of arbitrary code. Details on the issues can be found here.
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments
www
Nov 17th 2022
4 months ago
EEW
Nov 17th 2022
4 months ago
qwq
Nov 17th 2022
4 months ago
mashood
Nov 17th 2022
4 months ago
isc.sans.edu
Nov 23rd 2022
3 months ago
isc.sans.edu
Nov 23rd 2022
3 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
2 months ago
isc.sans.edu
Dec 26th 2022
2 months ago