Shamrocks and March Madness; Perl bots; MS05-004 update
To all the Irish and Irish-at-heart out there, a Happy St. Patrick's Day. (Warning US-centric comment coming next) For those of you who, like me, are college basketball fans, enjoy the next several days of 12+ hours a day of basketball. I know I will. :)
Our intrepid readers (thanks, to the Telenor folks), sent us a copy of 2 bots, written in Perl, that were being installed via an AWSTATS exploit (see
http://isc.sans.org/diary.php?date=2005-03-01 and
http://isc.sans.org/diary.php?date=2005-01-31
). The second appears to be an updated version with greater functionality. The irc command and control channel for the first variant seems to be down, the second one appears to still be up and the websites from which the malware was being downloaded are still live. Admins might want to check their proxy or firewall logs for traffic going to xii.altervista.org and poff.altervista.org.
Thanks to Juha-Matti for pointing out that the ASP.NET bulletin from February has been updated. Apparently the Caveats section of KB887219 has been updated based on user experience, but, of course, all our loyal readers have already patched, right? :)
-----------------
Jim Clausing, jclausing at isc dot sans dot org
Perl bots
Our intrepid readers (thanks, to the Telenor folks), sent us a copy of 2 bots, written in Perl, that were being installed via an AWSTATS exploit (see
http://isc.sans.org/diary.php?date=2005-03-01 and
http://isc.sans.org/diary.php?date=2005-01-31
). The second appears to be an updated version with greater functionality. The irc command and control channel for the first variant seems to be down, the second one appears to still be up and the websites from which the malware was being downloaded are still live. Admins might want to check their proxy or firewall logs for traffic going to xii.altervista.org and poff.altervista.org.
MS05-004 update
Thanks to Juha-Matti for pointing out that the ASP.NET bulletin from February has been updated. Apparently the Caveats section of KB887219 has been updated based on user experience, but, of course, all our loyal readers have already patched, right? :)
-----------------
Jim Clausing, jclausing at isc dot sans dot org
Keywords:
0 comment(s)
My next class:
LINUX Incident Response and Threat Hunting | Online | US Eastern | Jan 29th - Feb 3rd 2025 |
×
Diary Archives
Comments