Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-11-23 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

PHP Notes

Published: 2005-11-23
Last Updated: 2005-11-23 23:09:40 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
Two items concerning PHP came to us today.

1- Micheal wrote to tell us that phpBB has been working on putting an Incident Response Team together to help users understand how they were attacked and get back on their feet.  The announcement is here: http://www.phpbb.com/phpBB/viewtopic.php?t=343745.

2- Juha-Matti wrote to tell us that in reference to an earlier diary about XML-RPC for PHP issues a new script was published at http://www.securityfocus.com/bid/14088/exploit.

Keywords:
0 comment(s)

Google Search Appliance Vulnerability

Published: 2005-11-23
Last Updated: 2005-11-23 22:57:43 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
HD Moore of Metasploit wrote to tell us that they have been doing some testing to see who has been naughty and who has been nice.  Metasploit found a potential XSS vulnerability in Google's search appliance and worked with Google to get a patch issued.  Details are at http://metasploit.com/research/vulns/google_proxystylesheet/.

One day after the patch came out, Moore did a bit of Internet analysis and reported this:  "Nov 22 2005 - Quite a few people were wondering what percentage of the Internet-accessible appliances have yet to apply the patch. We decided to do some statistical sampling and find out. We selected 43 appliances at random from a Google query for inurl:proxystylesheet. Of these 43 systems, 23 were confirmed vulnerable (non-invasively), 8 were definitely patched, and the remaining 12 could not be determined one way or another (for a variety of reasons). If we assume this sample was anything close to the real distribution, we are talking about over half (53%) of all appliances being unpatched."

Keywords:
0 comment(s)

Yet Another Bagle

Published: 2005-11-23
Last Updated: 2005-11-23 22:26:12 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
Several readers wrote to tell us that they have seen another round of Bagle today.  This one has an attached file with various names, so far we've seen
Avis.zip
Danyell.zip
Edward.zip
Ellen.zip
George.zip
Isabel.zip
Judithe.zip
Katherine.zip
Leonarde.zip
Michael.zip
Mychaell.zip
Robert.zip
Rycharde.zip
Sara.zip
Suzanna.zip

All of the attachments are 6k in size and contain a file with a name like 123.exe or 1.exe.  Most of the major AV vendors have signatures out, so make sure that you are keeping your machines updated.

Keywords:
0 comment(s)

Wilma Lessons Learned

Published: 2005-11-23
Last Updated: 2005-11-23 15:27:12 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
A reader who wishes to remain anonymous wanted to share his lessons learned following Hurricane Wilma that struck his area a few weeks ago.  These are good tips for emergency preparations prior to any event.  For those who have been through SANS Security 504 (the "Hacker Track" as some call it) this should be very familiar advice.

1.  Have a plan!  Not just in writing but actually test it.  Both business recovery plans and employee recovery plans.  No one knew who to call. Who do people report to after the storm, have a meshed human contact network for your employees. Rehearse the plan. Plan point of contacts. Roll call after storm.

2.  Prior to storm arrival:
- Have all important information on paper: circuit ids, fax and telco lines, vendor/support tel#s, support contracts
- Charge cell phones, cars (company and employees)
- Fill up all generators and their backup tanks
- Make hotel reservations, nearest town outside cone. 
- Find a possible hot-site for a temporary office.
- Allow employees to recover at home, don't endanger more lives.
- Request volunteers to travel prior to hurricane.
- Have keys to buildings and offices that use card access.

3.  During and after the storm:
- Count on a power outage and generator to fail.  Have alternate plan to rent a generator.  Our generator blew a fuse and never started. Buy a portable generator and lots of gas cans as a backup to the backup.
- While power is being restored expect numerous "brown-outs" that could damage equipment.
- Inspect building for roof leaks.
- Design network so that the disaster site is completely independent of affected site.
- Pots as well as cellular traffic will be unreliable.

Keywords:
0 comment(s)

Cisco PIX Issue

Published: 2005-11-23
Last Updated: 2005-11-23 14:06:42 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
Tony and Fred pointed out that a bug was found in the Cisco PIX firewall that could cause a denial of service condition from spoofed TCP SYN packets.  Details on the bug can be found here and Cisco's reply is available here.


Keywords:
0 comment(s)
Diary Archives