Increased activity on TCP port 5250
As an update, we have had some readers (thanks Dr. Neal Krawetz, Thomas
Schmitzer and Brian Porter) point us to an exploit against the iGateway
service. This exploit was released on October 10 by FrSIRT and appears
to be what is causing the traffic. It allows for a telnet session to
port 1711, which also shows a one day increase.
Thanks for all the input and if someone happens to grab packets, we'd
still like to see them to confirm. Also a thanks to Greg Holmes for
bringing this to our attention!
If you have captures of any of this traffic, please upload them via the contact page. Thanks in advance.
If you have captures of any of this traffic, please upload them via the contact page. Thanks in advance.
Keywords:
0 comment(s)
MS05-044 Folder View for FTP Sites - mailbag item
This is my slightly edited email response to a great point about Microsoft's MS05-044 Security Bulletin, it is a result of email exchanges with a contributor who wishes to remain anonymous;
Hi,
Well, Microsoft makes "Folder View for FTP Sites" a complex subject and certainly one I may be able to post "Workaround" information on in a Diary post.
AFAICT there are many variables involved in OS and IE "installation" (oem settings, etc) that can affect FTP Folder views. I did read a ton of MS KB's and the two best on the specific issue are referenced below. And I really appreciate your polite persistence in pushing me to read up on this important item. Thank you!.
You're right that MS is misleading in it's Security Bulletin presentation. Because so many factors like OEM and customer installation settings can enable the FTP folder view the Security Bulletin should state a clear workaround on how to look for it in IE advanced tab and clearly state that you can disable it by unchecking/clearing it.
In the bulletin, in the "Mitigating Factors for FTP Client Vulnerability - CAN-2005-2126:" section MS says;
"By default, the "Enable Folder View for FTP Sites" Internet Explorer setting is disabled on all affected operating system versions. An attacker would only be successful if the user manually enables the "Enable Folder View for FTP Sites" Internet Explorer setting on the affected system." This is clearly misleading!
And in the "Workarounds for FTP Client Vulnerability - CAN-2005-2126:" section they only say "Do not download files from un-trusted FTP servers" when they should ADD;
"YOU CAN DISABLE FTP FOLDER VIEW;
To disable FTP Folders, follow these steps:
1. Click Start, point to Settings, click Control Panel, and then double-click Internet Options.
2. Click the Advanced tab.
3. Under Browsing, to disable FTP Folders, CLEAR/UNCHECK the Use Web Based FTP or Enable Folder View for FTP sites check box.
NOTE: When you CLEAR/UNCHECK the Use Web Based FTP or Enable Folder View for FTP sites check box, you are disabling FTP Folder functionality.
So let me try and work something up on that end and see if I can get it into the diary.
Highest regards,
Pat
No option to install Web Folders when you install Internet Explorer 6
Article ID : 298637
Last Review : June 20, 2005
Revision : 5.0
How to Install and Use FTP Folders
Article ID : 217888
Last Review : September 28, 2004
Revision : 3.1
Hi,
Well, Microsoft makes "Folder View for FTP Sites" a complex subject and certainly one I may be able to post "Workaround" information on in a Diary post.
AFAICT there are many variables involved in OS and IE "installation" (oem settings, etc) that can affect FTP Folder views. I did read a ton of MS KB's and the two best on the specific issue are referenced below. And I really appreciate your polite persistence in pushing me to read up on this important item. Thank you!.
You're right that MS is misleading in it's Security Bulletin presentation. Because so many factors like OEM and customer installation settings can enable the FTP folder view the Security Bulletin should state a clear workaround on how to look for it in IE advanced tab and clearly state that you can disable it by unchecking/clearing it.
In the bulletin, in the "Mitigating Factors for FTP Client Vulnerability - CAN-2005-2126:" section MS says;
"By default, the "Enable Folder View for FTP Sites" Internet Explorer setting is disabled on all affected operating system versions. An attacker would only be successful if the user manually enables the "Enable Folder View for FTP Sites" Internet Explorer setting on the affected system." This is clearly misleading!
And in the "Workarounds for FTP Client Vulnerability - CAN-2005-2126:" section they only say "Do not download files from un-trusted FTP servers" when they should ADD;
"YOU CAN DISABLE FTP FOLDER VIEW;
To disable FTP Folders, follow these steps:
1. Click Start, point to Settings, click Control Panel, and then double-click Internet Options.
2. Click the Advanced tab.
3. Under Browsing, to disable FTP Folders, CLEAR/UNCHECK the Use Web Based FTP or Enable Folder View for FTP sites check box.
NOTE: When you CLEAR/UNCHECK the Use Web Based FTP or Enable Folder View for FTP sites check box, you are disabling FTP Folder functionality.
So let me try and work something up on that end and see if I can get it into the diary.
Highest regards,
Pat
No option to install Web Folders when you install Internet Explorer 6
Article ID : 298637
Last Review : June 20, 2005
Revision : 5.0
How to Install and Use FTP Folders
Article ID : 217888
Last Review : September 28, 2004
Revision : 3.1
Keywords:
0 comment(s)
×
Diary Archives
Comments