Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2009-09-03 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Telstra Outage

Published: 2009-09-03
Last Updated: 2009-09-03 23:49:03 UTC
by Marcus Sachs (Version: 2)
2 comment(s)

We had a couple of reports that Telstra (Australia) was down earlier today.  Still not sure what the problem was, but to Telstra's credit they are using Twitter to keep their customers informed.  Follow them at http://twitter.com/Telstra

UPDATE - Looks like it might have been a DNS maintenance problem.  Some details are here.  Thanks for the pointer to that page, Mike!

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
2 comment(s)

RealVNC Remote Auth Bypass?

Published: 2009-09-03
Last Updated: 2009-09-03 18:29:43 UTC
by Marcus Sachs (Version: 1)
8 comment(s)

We had an interesting submission from one of our readers today.  He thinks there might be a problem with RealVNC.  Here are the comments he sent us:

I'm a professional computer tech for a living, although I don't specialize in security.  A few minutes ago I was shutting my PC down to go to a job when I noticed the VNC icon in my system tray was black, indicating a connection.  I was immediately suspicious and powered the machine back on but unplugged the network cable until I could firewall the VNC service.  I have a home broadband connection and the router is opened up to allow incoming remote access on port 5900.  I have often noted the many failed attempts to connect to my VNC service in the windows logs; however, this was different.  According to my event log, the service had been connected about for 15 minutes before I noticed it.  Here are the technical details:

RealVNC version: 4.1.3
IP address: 121.32.14.72 (somewhere in China, apparently)
password: 12 characters, alphanumeric

In the logs there were no prior or repeated connection attempts from this or similar IP addresses, as if a brute force attack was happening.  Even at that a 12-character password should be relatively strong.  To me this looks like an authentication bypass vulnerability reminiscent of the 2006 vulnerability; I hope I'm wrong.  You may want to encourage everyone to be on the lookout for suspicious VNC connections.  For now my VNC is remaining firewalled.

For those who use RealVNC would you check your event logs to see if there is anything similar that you did not authorize?  Use the "comment" section below to post your brief thoughts or if you have a lot of information to submit use our contact form.

Marcus H. Sachs
Director, SANS Internet Storm Center

 

Keywords:
8 comment(s)

seclists.org Outage

Published: 2009-09-03
Last Updated: 2009-09-03 15:46:40 UTC
by Marcus Sachs (Version: 1)
1 comment(s)

It appears that seclists.org is offline.  That impacts some security mailing lists like Full Disclosure, nmap-dev, and portions of the Insecure.org site.  We don't know why the site is down, but it appears that all of the message archives are missing too.  More details will follow as we receive them.  If you have any first-hand knowledge about why the site is down please let us know via our contact form.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
1 comment(s)
Diary Archives