Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Symantec Threatcon Level 2

Published: 2008-04-10
Last Updated: 2008-04-11 14:01:03 UTC
by Deborah Hale (Version: 1)
0 comment(s)

It appears that Symantec has raised the Threatcon to Level 2 this afternoon.

www.symantec.com/security_response/threatcon/index.jsp

It seems that their honeypots have sniffed out "In-the-Wild Exploit attempts" targeting the vulnerability identified in MS08-021 which allows remote code execution in GDI if a user opens a specially crafted EMF or WMF image file. Microsoft announced this in their latest super Tuesday release. 

www.microsoft.com/technet/security/Bulletin/MS08-021.mspx

If you haven't already patched do so now and don't forget to remind your users not to open image files.

 

0 comment(s)

Abuse Contacts

Published: 2008-04-10
Last Updated: 2008-04-10 22:11:44 UTC
by Deborah Hale (Version: 1)
6 comment(s)

A couple of months ago my boss asked me to take over the Abuse for our company. Little did I know when he asked me to take over the abuse it was I who would be abused. This has been a real eye opener for me and I have learned some very valuable lessons and have a few more gray hairs than I used to have.  One of the things that I have learned is that finding someone who can explain to you why your server has been forbidden is like looking for a needle in a haystack. 

One of our servers that hosts multi customers was blocked by one of the big boys.  Now the only way I new it was blocked was because I started getting bombarded with complaints from our customers that the email that they were trying to send to a "group" of people were rejecting. I asked them to send me some of the emails so that I could look at them.  I hadn't gotten any abuse reports or emails from the company inspite of the fact that I do have an abuse@ email address setup.  Therefore, I had nothing to go on. After a couple of days and begging and pleading for someone at the company to point me in the right direction I have found out what was going on and the mail is flowing again.

I, for one wish everyone would handle these incidents the same way. I wish that an email could be sent to the abuse@ email address saying - hey bozo - you got a problem - clean up your act.  Well maybe a little bit nicer.  At any rate, not notifying us that we are being blocked and why we are being blocked is just not very nice.  I just spent the better part of 2 days digging through logs, looking at RBL sites and attempting to find someone who could explain why my server was being "spanked". 

So for those of you out there that just pull the plug, maybe you could also send the abuse@ email address a little message.  I don't mind so much the pulling of the plug, but mind the hours that I spent trying to figure out why the plug was pulled.

I would rather have a little abuse from you then a lot of abuse from a lot of customers.

 

Keywords: Abuse
6 comment(s)

DSLReports Being Attacked Again

Published: 2008-04-10
Last Updated: 2008-04-10 21:36:53 UTC
by Deborah Hale (Version: 1)
0 comment(s)

We received an email from one of our faithful reader's just a few minutes ago letting us know that the folks at dslreports.com are having a rather bad day again. It seems that they are receiving a DDOS aimed at their pages and causing their site to either be slow to load or inaccessible. 

The site is back up now.  They have posted an announcement on the site "Unfortunately an ongoing distributed denial of service attack from Russia is causing problems for us today." So if you have problems connecting to their site, be patient and try again.

 

www.dslreports.com/

To the folks at DSL Reports. We wish you the best and hope that you can fend off the attacks and stay on line.

 

A big thank-you to Robert for calling this to our attention. 

Keywords: DSLReports DDOS
0 comment(s)
Diary Archives