Exploiting the admin process

Published: 2008-01-21
Last Updated: 2008-01-22 00:55:34 UTC
by Jim Clausing (Version: 2)
1 comment(s)

Today has been a rather slow day at the Internet Storm Center.  Perhaps some folks in the US actually got Martin Luther King, Jr. Day off from work (or maybe not).  We got e-mail from Jim and Gordon though that got me thinking.  Jim e-mailed to report what he thought were (and may well be) spoofed referrer strings showing up in his weblogs.  His concern was that some of these referrers might host malware, so an admin who was diligently monitoring their logs, might get infected when trying to follow-up on how users found their website.  Gordon reported some unexpected behavior from Kiwi Syslog Daemon which was being used to collect logs from a Sonicwall setup.  He noted that the firewall was showing outbound NetBIOS attempts to China (fortunately being blocked by the firewall) from the Windows machine collecting the logs.  It turns out that the Kiwi Syslog Daemon that he was using was attempting to lookup the names (reverse lookups) of the machines that were hitting the firewall first by DNS and then by NetBIOS (a feature that can apparently be disabled in v 8.3.6 BETA).  Again, this brought to mind the possibility that a responsible admin monitoring logs as they ought to, could have that very diligence used against them.  I recall some time back an attack where folks were targeting, I think, one of the Apache log analyzers by crafting some of the data that gets logged (here is one, though not the one I was thinking of when I wrote this).  I'm not aware of this class of attacks being used widely these days, but I figured since it was slow, I'd ask our readers if they have seen any other attacks like this that actually target the diligent admin and what types of defenses do you (or should you) take to protect against them?  The handlers kicked around a few thoughts among ourselves today and I'll include them with reader response in a followup story.

1 comment(s)


I had similar entries in my Apache log. They were failed pages with references to some site that ended in "/.web/a.gif?/". If anyone wants more of the log, let me know.

Diary Archives