Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

*Santy Worm Update, Snort 2.2 DoS, IRC over SMTP, SSH Scanning, An InfoSec Christmas Story

Published: 2004-12-22
Last Updated: 2004-12-22 23:41:11 UTC
by John Bambenek (Version: 1)
0 comment(s)
* Santy Worm Update

According to http://news.zdnet.com/2100-1009_22-5500265.html Google has deactivated queries essential to Santy's propagation, which should lead to it's dying off (or by this point gone-ness). This is only a temporary fix, I would imagine, as I'm sure other queries can be crafted and the same exploit code used to relaunch this worm. Time will tell.

As a side note, we have the exploit code, so no need to send more unless you have the earlier generations that did not do defacing.

See yesterday's diary at http://isc.sans.org/diary.php?date=2004-12-21 for detailed info on what we know so far about Santy.

Snort 2.20 Denial of Service exploit posted

K-OTik notified us of this exploit for Snort 2.2 and earlier: http://www.k-otik.com/exploits/20041222.angelDust.c.php

It will core dump a running Snort process with a specially crafted packed. The recommended fix is to upgrade to Snort 2.3 RC1 or better which various handlers have reported is stable. This particular exploit works with Linux-based distributions, but not BSD-based. (We tried RHEL3, Debian, and OpenBSD).

IRC over SMTP

We have received reports of intermittent traffic of IRC commands over the SMTP protocol. Specifically, PRIVMSG commands are seen directly after the inital SMTP HELO. Almost all of the packets in this case have the string ":j1!~devel@67.15.4.95" in them. If you are also seeing this traffic, please contact us with packet dumps using the contact form.

SSH Scanning

Joel Esler put up results from a quick honeypot on what the results of a successful intrusion on the SSH scanning we've been seeing. While there are various iterations of this, all the commands in this case were in .bash_history and easily viewable. Through a couple of wget's to websites overseas IRC bncs and relays are installed on the user account. The websites were with a company that gives free webspace and e-mail making the attackers pseudo-anonymous and with the ability to simply move to another free webspace provider leading to the endless game of whack-a-kiddie we have all come to know and love.

A quick check at Yahoo! Geocities shows that this same malware that is detected by the anti-virus tools we have is easily loaded up and hosted at Geocities. I know Yahoo! for instance has the ability to virus scan attachments in e-mail. If this same functionality would be implemented at free sites to files hosted, we'd see this kind of activity decrease. It's not a complete solution, but it is certainly progress considering who easy it is to put up one of these free websites.

An InfoSec Christmas Story

On a lighter and hopefully more humorous note, I wrote a version of Twas the Night Before Christmas entitled Tw4z t3h N1t3 B3f0r3 Xm4z. If interested, you can read it here: http://decision.csl.uiuc.edu/~bambenek/tw4s.html (It's a little long for a diary).

----
John Bambenek
bambenek /at/ gmail.com
Keywords:
0 comment(s)
Diary Archives