Request for Help, OOB Chat Room Keeps London Working During Attack
Good morning!
This morning the Handlers received a note from Ian Tomkinson that he had detected the following in their web server access logs. It caught his attention because of the "ISC.SANS.DFind" string--probably an attempt to make the traffic look legitimate.
This hit was followed up by a scan for phpmyadmin, using a tool called "PMAFind"
Please review your web server logs for anything with this string in it. Should you find a hit, please submit a copy of the log excerpt to http://isc.sans.org/contact.php
Update: see http://isc.sans.org/diary.php?storyid=900
Thanks!
This story caught my attention yesterday, while reading some of the coverage of the bombing attacks in London. The details are itself are simplified a bit, but the gist of it is this: many financial (and I'm sure other) institutions were able to continue operating during the crisis last week through the use of what I'd call out-of-band communications mechanisms, including websites and chat rooms, setup as a response to the terror attacks of 911. It also talks about the improved contingency planning that has occured because of the same.
One of the true stories behind these terrible events is certainly how well infrastructure bits have held up.
Food for thought: do you have any out-of-band mechanisms in case some of your major systems fail? Even something simple as a published e-mail address not hosted on your own systems may be useful. Perhaps a Jabber server, or an IRC chat room somewhere?
http://www.alertnet.org/thenews/newsdesk/L08557431.htm
-------------------------
Dave Brookshire
SANS ISC Handler-on-Duty
Request for Help
This morning the Handlers received a note from Ian Tomkinson that he had detected the following in their web server access logs. It caught his attention because of the "ISC.SANS.DFind" string--probably an attempt to make the traffic look legitimate.
xxx.xxx.xxx.xxx - - [08/Jul/2005:18:51:35 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:)
HTTP/1.1" 400 320 "-" "-"
This hit was followed up by a scan for phpmyadmin, using a tool called "PMAFind"
Please review your web server logs for anything with this string in it. Should you find a hit, please submit a copy of the log excerpt to http://isc.sans.org/contact.php
Update: see http://isc.sans.org/diary.php?storyid=900
Thanks!
Internet Chat Room Keeps London Trading Alive During Attack
This story caught my attention yesterday, while reading some of the coverage of the bombing attacks in London. The details are itself are simplified a bit, but the gist of it is this: many financial (and I'm sure other) institutions were able to continue operating during the crisis last week through the use of what I'd call out-of-band communications mechanisms, including websites and chat rooms, setup as a response to the terror attacks of 911. It also talks about the improved contingency planning that has occured because of the same.
One of the true stories behind these terrible events is certainly how well infrastructure bits have held up.
Food for thought: do you have any out-of-band mechanisms in case some of your major systems fail? Even something simple as a published e-mail address not hosted on your own systems may be useful. Perhaps a Jabber server, or an IRC chat room somewhere?
http://www.alertnet.org/thenews/newsdesk/L08557431.htm
-------------------------
Dave Brookshire
SANS ISC Handler-on-Duty
Keywords:
0 comment(s)
×
Diary Archives
Comments