Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Panix DNS Hijack; tcp/3306 Increase; Osama Captured SPAM;Wireless Thoughts InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Panix DNS Hijack; tcp/3306 Increase; Osama Captured SPAM;Wireless Thoughts

Published: 2005-01-16
Last Updated: 2005-01-17 00:15:24 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
Panix DNS Hijacked. Panix, a commercial Internet provider in New York, had its main domain name (panix.com) hijacked by an unknown party. According to Panix, the ownership of panix.com was moved to a company in Australia, the actual DNS records were moved to a company in the United Kingdom, and panix.com's mail was redirected to yet another company in Canada. As of this writing, Panix has been able to recover their domain but the global DNS will take several hours to get the records updated. More details are on Panix's alternate web site at http://www.panix.net

tcp/3306 Increase. There has been a slow but steady increase in hostile activity aimed at tcp/3306 (MySQL) over the past several weeks, with a spike on or about Christmas day. We are not aware of any new MySQL exploits, but clearly there is some interest in this port. Any packet captures, analysis, or thoughts would be appreciated. See http://isc.sans.org/port_details.php?port=3306&days=70

Osama Captured SPAM. There is yet another email going around that claims to have photos about Osama bin Laden's capture. Like the ones that circulated last spring and summer, this one points to a site containing hostile Java scripting. Watch for flows going to the 218.30.123.0/24 subnet in your outbound logs.

Thoughts on Hotel Wireless. This past week I had the pleasure of teaching SANS's Security Essentials course to a group of 25 US Government students. They were a great class and had plenty of good questions, comments, and ideas. One topic we discussed was the use of open wireless devices in hotels and other public locations. A few of the students asked me after class for specific information on how I secured my own laptop and how I use it on open wireless networks. That made me realize that others might want to know the same thing.

In my case, I use a laptop with built a built-in wireless card. The radio can be turned on and off via the keyboard, which is a nice feature. I pay a commercial service for nation-wide 802.11b/g roaming, which typically gives me access in most major airports, popular coffee shops, and popular package shipping and office support stores. They support the IEEE 802.1x security standard with WiFi Protected Access (WPA), which is "good enough" for most of us. However, many times I'm in a hotel that offers wireless without any encryption, not even WEP. So that leaves me with only one choice - a personal VPN.

Many companies offer VPN capability for their employees, but if you are a do-it-yourselfer or your employer does not have a VPN service you are not out of luck. I have a hosting service that takes care of my domain names and with it I get a standard Unix shell account (no, I'm not using Panix!) Using an SSH client on my laptop connected to my Unix shell account, I simply map any ports I want to protect from wireless eavesdropping (110 for POP3 and 25 for SMTP are a good start) over to my SSH tunnel. For ease of numbering, pick a starting point that is an even thousand (like 3000 or 4000) then map each port in a manner that is easy to remember. For example, map 110 to 3110 and 25 to 3025. On my email client I changed the POP and SMTP settings to point to myself (localhost) at the ports I mapped over to SSH.

Most SSH clients have the specific details on port mapping in their help or MAN pages.

For those in the United States who have tomorrow off, happy Martin Luther King day! For everybody else, hope you enjoy your Monday!
Marcus H. Sachs

Handler on Duty

Keywords:
0 comment(s)
Diary Archives