Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-05-09 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Ends Support for Windows Server 2003 RTM/Gold

Published: 2007-05-09
Last Updated: 2007-05-10 15:38:25 UTC
by Deborah Hale (Version: 1)
0 comment(s)

We received an email today from one of our readers (Scott) with the following information:

"It might be worth mentioning that Microsoft has ended support for Windows Server 2003 RTM/"Gold" (no Service Pack). The new patches applicable to Windows 2003 (MS07-027, -028, -029) will only install on 2003 SP1 or later. So if any readers haven't fully deployed SP1 or SP2 yet, now would certainly be a good time to do so. If that's not possible, patches might be available from Microsoft (for a fee) under the Extended Support program."

I checked with Microsoft for confirmation on this and received this information back:

The dates for W2K3 SP0 (RTM/Gold), SP1, SP2

Product Name Service Pack Gen. Avail. Date Support Retired
Windows Server 2003 Service Pack 0 (RTM) May 28th 2003 April 10th 2007
Windows Server 2003 Service Pack 1 March 30th 2005 April 14th 2009
Windows Server 2003 Service Pack 2 March 13th 2007 Not Applicable


For SP2:
See Note Support ends either 12 or 24 months after the next service pack releases or at the end of the product's support lifecycle, whichever comes first. Visit the Lifecycle page to find the support timelines for your particular product.

Microsoft has some information about the Main LifeCycle at:
support.microsoft.com/lifecycle/Default.aspx

And the page with the various dates is here:
support.microsoft.com/gp/lifesupsps#Windows

Thanks to Scott for calling this to our attention and to Microsoft for getting back to us with the information.
Keywords:
0 comment(s)

Many Thanks to All of our Readers/Contributors

Published: 2007-05-09
Last Updated: 2007-05-09 22:03:15 UTC
by Deborah Hale (Version: 1)
0 comment(s)
I personally want to thank all of our readers that have contributed to todays diary and all of the diaries through out the year.

To Scott for the information on the End of LifeCycle issues, to Kent for the great information on the Trend Micro problems, Jeff for the information on the malicious FTP, Don for the CISCO vulnerabilities, and everyone else that contacted us with their input and information.  It is because of our terrific readers and their willingness to share that we Handler's at the ISC are able to bring to everyone, everyday the terrific insight that we can.  Keep up the good work team.


Deb
Handler On Duty

Keywords:
0 comment(s)

Microsoft Update Problems

Published: 2007-05-09
Last Updated: 2007-05-09 21:34:58 UTC
by Deborah Hale (Version: 1)
0 comment(s)
For our readers that have problems with Microsoft Update or with things breaking after the updates have run, please call Microsoft Product Support Services at 1-866-PCSAFETY.  Explain your problem to them. They will give you a support ID.  (There is no charge for this service if it is related to the Security Updates from Microsoft.)

Then if you would like you can contact us through our contact page, explain the problem you are seeing and give us the support ID number.  We will then use that information in our research and communications with Microsoft in regards to the problems that folks are seeing.
Keywords:
0 comment(s)

Upgrade to Norman Virus Control version 5.90

Published: 2007-05-09
Last Updated: 2007-05-09 21:28:21 UTC
by Deborah Hale (Version: 1)
0 comment(s)
For those that are using Norman Virus Control, you may be experiencing problems with the upgrade that happened yesterday. It is being reported that some computers are "freezing up" after the update.  It is a confirmed problem and Norman is working on it.

Check out the information from Norman at:

www.norman.com/Support/46716/nl
Keywords:
0 comment(s)

Cisco Security Advisory: Multiple Vulnerabilities in the IOS FTP Server

Published: 2007-05-09
Last Updated: 2007-05-09 21:24:45 UTC
by Deborah Hale (Version: 1)
0 comment(s)
Advisory ID: cisco-sa-20070509-iosftp


www.cisco.com/warp/public/707/cisco-sa-20070509-iosftp.shtml

For those that have enabled the IOS FTP service on their CISCO devices, you may want to take a look at the advisory from CISCO.  CISCO indicates that there are multiple vulnerabilities in the IOS.  From CISCO Advisory:

"Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information."

See the link above for the complete advisory.

Keywords:
0 comment(s)

Ramp up on Port 5168

Published: 2007-05-09
Last Updated: 2007-05-09 16:04:05 UTC
by Deborah Hale (Version: 1)
0 comment(s)
We received an email today from one of our readers, Kent, indicating that they had an intrusion. Investigation indicates that they have a ServU FTP serving masquerading as javavm.exe. The program is listening on port 1999. It also is trying to connect to port 3389 (Windows Terminal Server Service).

Kent says: “The machine is off the net now, but the attacker keeps trying to connect to it, e.g. on port 1999 and port 3389. He also tries to connect to port 5168 on another machine (harmless, it turns out).”

Kent says that they are running Trend Micro Anti Virus. A quick look at DShield for current port activity reports confirms that there is something going on with port 5168.  The sources and targets have escalated rapidly in the last 3 days.

http://www.dshield.org/port.html?port=5168

At this point nothing definitive but I suspect that it has something to do with:

Trend Micro ServerProtect EarthAgent Stack Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-07-025.html

Trend Micro ServerProtect AgRpcCln.dll Stack Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-07-024.html

Trend Micro has issued these advisories for ServerProtect v5.58. It appears that there are some vulnerable installations of Trend Micro ServerProtect out there that may be getting snagged.

We have had other reports of some snooping for the open port 5168 devices on the net. If anyone is seeing an increase in activity on either port 5168 or 3628, and you can capture some packets for us, we would appreciate it. Also, if anyone else has had this intrusion and you can identify the executable involved, we would like copies of the exe files as well. Please zip and password protect the exe files if possible. All of these can be uploaded to our malware site at:

http://isc.sans.org/contact.html

We will keep you updated on what we find out.
Keywords:
0 comment(s)
Diary Archives