Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-02-02 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

American Football Championship Shenanigans

Published: 2007-02-02
Last Updated: 2007-02-08 16:58:49 UTC
by Kevin Liston (Version: 7)
0 comment(s)
Websense Labs has reported that "the official website of Dolphin Stadium has been compromised with malicious code."  As of now (~1820 GMT 02-FEB-2007) the site still has the injected redirect, but the site hosting the malicious code is not responding.  The malicious script is reported to exploit vulnerabilities described in Microsoft Security Bulletins MS06-014 and MS07-004.
www.websense.com/securitylabs/alerts/alert.php?AlertID=733

Bleedingthreats.net has a signature available: www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_Downloader

The first reported site has been repaired (for now?)
Other sites have been identified using some googledorking and are in the process of being informed.

UPDATE:
McAfee has released updated signatures to detect Backdoor-DKT: vil.nai.com/vil/content/v_141405.htm#tab7
Other AV vendors should have specific signatures by now as well.


UPDATE2:


A similar (identical?) exploit is served by the following domains. At this point, the best defense (after patching) is to block these domains and monitor DNS requests for them. Infected machines will try to call home to them.

w1c.cn, dv521.com, bc0.cn, 137wg.com, newasp.com.cn

dv521.com was the domain used in the dolphinstadium.com defacement. Thanks to the cooperation from Xin-Net, the domain is no longer resolving. But there is always a chance that it will come back.

If your website is defaced by this group: Please contact us and preserve logs.

UPDATE3:
We had 'www.natmags.co.uk' listed here earlier. According to information from the system administrator for the site, the javascript file on that site is not malicious and just happens to have the same filename.

UPDATE4:
Updating our earlier update :-), the 3.js off the Natmags site downloads an ad.htm file which is clearly an exploit, as can be shown with a little PERL-fu to make it readable: cat ad.htm | perl -pe 's/(.)/chr(ord($1)&127)/ge'
The corresponding www.exe is no longer available on the server though (or doesn't download).
Keywords:
0 comment(s)

Classic phpBB vulnerability impacts phpBB-based forums

Published: 2007-02-02
Last Updated: 2007-02-02 20:10:07 UTC
by Kevin Liston (Version: 1)
0 comment(s)
It seems fairly obvious but the classic phpbb_root_path vulnerability is present in products such as: Omegaboard, Cerulean Portal System, phpBB Tweaked, Hailboards, EclipseBB and Xero Portal.  All are affected by the vulnerability exposed by having register_globals set to "on."  It appears that it is being regularly exploited as well to deface systems.
www.heise-security.co.uk/news/84732
Thanks for the lead Juergen!
Keywords:
0 comment(s)

Friday Security Notes

Published: 2007-02-02
Last Updated: 2007-02-02 18:32:40 UTC
by Kevin Liston (Version: 2)
0 comment(s)
Just a few things to read/follow-up/keep-an-eye-on over the weekend:

Wireshark announced a few Denial of Service vulnerabilities (i.e. it sees certain traffic and crashes) yesterday: www.wireshark.org/security/wnpa-sec-2007-01.html

UPDATE:
Release notes are available: www.wireshark.org/docs/relnotes/wireshark-0.99.5.html
Download: www.wireshark.org/download.html



Exploit code is available Computer Associates BrightStor ARCserve Backup LGSERVER.EXE
The targeted service listens on TCP/1900.  The example exploit sets up a shell on TCP/4444 (but that's trivial to change)
Dshield notes a bit of a peak: isc.sans.org/port.html?port=1900
Concentrated activity towards TCP/4400 is a bit less obvious.



Cisco Vulnerabilities, there were a few issues identified by Cisco this week.  Keep an eye/ear/SEC-rule out for "instability issues" on your routing infrastructure.  For current details:
www.cisco.com/en/US/products/products_security_advisories_listing.html
Keywords:
0 comment(s)
Diary Archives