Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Snort signature and standalone detection tool

Published: 2005-10-21
Last Updated: 2005-10-21 21:29:10 UTC
by Kyle Haugsness (Version: 1)
0 comment(s)
(Kyle Haugsness)  As promised, here is a Snort signature to detect exploit attempts against the Back Orifice pre-processor vulnerability announced this week.  There is a fatal flaw with this signature, which will reduce its overall effectiveness when the attackers get smarter.  But I'm not going to disclose the fatal flaw.  In order to avoid the fatal flaw and detect all attacks, you will need to run the standalone program that is available here: http://handlers.sans.org/khaugsness/

Here's the Snort signature.  Don't forget to turn off the BO pre-processor in snort.conf if you are running a vulnerable version!  Also, don't forget to change the "sid" field below...

alert udp any !31337 <> any !31337 ( \
msg: "BLEEDING-EDGE EXPLOIT Snort Back Orifice pre-processor buffer overflow attempt"; \
dsize: >1024; \
content:"|ce 63 d1 d2 16 e7 13 cf|"; \
offset: 0; \
depth: 8; \
threshold: type limit, track by_dst, count 1, seconds 60; \
classtype: attempted-admin; \
sid: 3000001; \
rev:1; \
)



Keywords:
0 comment(s)

parishilton.scr

Published: 2005-10-21
Last Updated: 2005-10-21 15:27:53 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
There's a new variant of SDBOT making the rounds, arriving via IM as a link to a file called parishilton.scr . Those few AV that already detect it, seem to call it Sdbot.XD.  Maybe a good moment to check your proxy logs to see who of your IM users clicked on it...
Keywords:
0 comment(s)

Getting spamfiltered?

Published: 2005-10-21
Last Updated: 2005-10-21 08:54:44 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
Every now and then, collective spam filtering efforts tend to go a bit overboard. We keep hearing of cases where static and properly assigned IP ranges of legitimate businesses erroneously got added to one of the DNSbl based public filter lists under the heading of "dynamic address".  Should this ever happen to you, chances are you won't be able to use your company email to complain about the mistake - since your email is coming from a "dynamic address" (or so the many mailgateways using the DNSbl think), it will be cheerfully ignored and discarded. Recovery from such a problem can be agonizingly slow and leave your company stranded high and dry with very limited ability to send email.  If you got a couple of spare cycles today, it might be worthwhile to go through the motions of how you would a) detect that your IP range is on some DNSbl and b) go about getting it unlisted again. A good toolkit that I like to check multiple DNSbls are the various query options available through http://openrbl.org . Another good one, suggested by ISC reader Peter Bance, is http://www.dnsstuff.com . ISC reader Bas Janssen suggests the blq Perl scripts on http://freshmeat.net/projects/blq/ for automatic monitoring of several blacklists via cron job.
Keywords:
0 comment(s)

Outage on Verio and Level3

Published: 2005-10-21
Last Updated: 2005-10-21 07:40:23 UTC
by Daniel Wesemann (Version: 1)
0 comment(s)
We are getting reports that Level3 and Verio networks are flakey or down at the moment. We'll update this entry if we get any news. 07:40 UTC: Things are slowly going back to normal. Rumour has it that a software upgrade at Level3 went awry. 
Keywords:
0 comment(s)
Diary Archives