Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Some packets perhaps?

Published: 2008-04-25
Last Updated: 2008-04-25 15:07:30 UTC
by Joel Esler (Version: 1)
0 comment(s)

Take a look at this.  http://isc.sans.org/trends.html 

Seems as if ports 7331 and 60000 are on the rise.  I don't think I want to put out a call for packets yet, but if you are seeing an increase at your networks, can you write in and let us know?

 

--

Joel Esler

http://www.joelesler.net

Keywords: packets
0 comment(s)

Hey, where is the podcast?

Published: 2008-04-25
Last Updated: 2008-04-25 13:51:07 UTC
by Joel Esler (Version: 1)
0 comment(s)

All the people that listen to the podcast...

Yes we were supposed to do one this week, however, since Johannes was at the SANS conference in Orlando, we decided to bump it a week.  So we'll do it next week.  (We usually do it Wednesday night, and it's out Thursday morning).  I got a couple emails from people asking where Episode 3 was.   Just wanted to keep you updated.

 

--

Joel Esler

http://www.joelesler.net

Keywords: podcast
0 comment(s)

One thing to keep in mind about compromised websites

Published: 2008-04-25
Last Updated: 2008-04-25 13:46:06 UTC
by Joel Esler (Version: 1)
1 comment(s)

We've all done it.  Taken some piece of code that machines are being exploited with and plugged it into Google to see how many machines were infected.  You do it, and you say to yourself "OH NOEZ, 10,000 MACHINES!  BIG BIG EXPLOIT RAISE THE RED FLAG!"

(Disclaimer:  Since Google is a verb in today's language, I don't necessarily mean Google, when I say Google.  I mean search engine, but I probably mean Google.  )

Things to keep in mind:

1) When you do that, most likely the exploit method is potentially:

    a) already known

    b) being worked on

    c) already been worked on

    d) cleaned up

2) There aren't that many machines actually infected/exploited.  Google takes awhile to index websites, usually about 2 days behind.  It depends on the popularity of your site.  I am not going to try and explain how the Google search algorithm/page rank thing works, because number one, I don't know, and number two, if I did, I am sure I could command alot of money from both Google and/or Microsoft for me to work there.  But anyway, my point is, Google takes a bit to index sites.  Then once the sites are indexed and are then subsequently cleaned up, Google takes a while to clean the entries back out again.  (Again, by re-indexing.)

So, at any given point, the index results in Google for "x" exploit are not correct.  The numbers at least.  The websites you see in Google are either currently exploited, or have been several days/weeks/whatever ago.  So keep that in mind.

The next time you read something about "OH NOEZ THE EXPLOIT IS TAKING OVER TEH WORLD.  OMG LOL!!11".  Try not and panic, it's probably not as big as it's claimed to be.

 

--

Joel Esler

http://www.joelesler.net

Keywords:
1 comment(s)
Diary Archives