Strange Spam; Update on Port 3001; New Discussion Forum; Small Website Change; Cisco Humor; SANS Washington DC
Strange Spam
We have not figured out the source or reason of the strange spam reported in the Handler's Diary. It's clear that at the MTA level the spam is coming from many different sources, which is typical of spam generated by compromised computers. But who/what is behind it and what it means is still a mystery.Update on Port 3001
Our report yesterday that tcp/3001 was rising needs a bit of clarification. It's the SOURCE port that is rising, not the DESTINATION port.David dropped us a note that said, "It seems that there is a tool or malware that uses a default source port of 3001. I noticed this on a dest port 1666 scan and started looking around and noticed the source port 3001 similarity. Below are some common scans where all scans performed were *only* from source port 3001. I searched through my firewall logs going back to December and then got a list of IP addresses using source port 3001 then filtered out those that weren't using port 3001 exclusively. Below is a list of ports and the count of instances.
29 1433
18 42
84 6101
Looks like there is something out there scanning for SQL, WINS and Veritas possibly using a specific scanning tool."
New Discussion Forum
The SANS Internet Storm Center's CTO, Johannes Ullrich, has created a new web view into the popular DShield discussion list. Additionally, he built a new online discussion forum for those who want to openly discuss items in the Handler's Diary. The site for both forums is at http://forum.dshield.org and we hope to hear from everybody over there! (Remember that these are PUBLIC forums, anything you post can and will be read by others. If you want to send the Storm Center something in confidence please use our contact form at http://isc.sans.org/contact.php and tell us by using the check blocks at the bottom whether we can release your name and other details.)Small Website Change
We've made a small change to our website. It now has a <meta http-equiv="refresh" content="600"> tag so that it will automatically fetch an update every 10 minutes. That way you can leave it open in a browser tab (you DO use tabs, don't you?) and it will stay up to date without manually refreshing.Cisco Humor
SANS Instructor Chris Benton stumbled on a site that will bring a bit of humor to our otherwise busy lives. Check out http://routergod.com and read insightful articles such as- Paris Hilton On CCIE Storage
- Gillian Anderson on LAN Switching
- Gunney Sgt. Hartman at CCNA Boot Camp
- Paul Hogan Tells Us About HSRP
- Arnold on PIX Turbo Access Lists
- Trinity on IP-Helper addresses
- Agent Smith Explains Syslog
- Charles Manson On Static Routes
- Mister Rogers on the RS 232
- 7 of 9 on OSPF
SANS Washington, DC
I'll be teaching SEC 401, SANS Security Essentials, in later next week. If you can stop by, please do so to say hello. A few of the handlers will be there and we always like to meet our readers! There is still plenty of time to register if you haven't already done so. This is a great time of year to come see Washington with your family. It's hotter than hootie tootie but that's why we Southerners invented air conditioning! :)
Marcus H. Sachs
Handler on Duty
Keywords:
0 comment(s)
×
Diary Archives
Comments