Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Administrata; MS05-026 exploits in the field? No, not really; OpenRBL ist Kaput; Passive Reconnaissance and the Disaster Response threat-space; mod_jrun exploit sweep - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Administrata; MS05-026 exploits in the field? No, not really; OpenRBL ist Kaput; Passive Reconnaissance and the Disaster Response threat-space; mod_jrun exploit sweep


This is the after-lunch update, I usually like to have a morning, afternoon, and closing commentary updates, but wanted to let Lorna?s fine overview on the risks of moving and Identity Theft get a bit more eye-ball time. One should go back and read the weekend?s Diaries as a part of their Monday morning exercises.

MS05-026 exploits in the field?

The first incident of my shift involved an active exploit of MS05-026 (ED: no, Kevin, it?s actually MS05-001 as we see below.) A spam message was blasted out to potential ?customers,? including the link to the poisoned website. It leveraged the MS05-026 (MS05-001, see above) ( HTML Help remote code execution (no, Security zone bypass) vulnerability to install a Haxdoor variant on the visitor (well, I got one part right.)

Update: The following AV tools detect the initial Help Control Exploit

Antivirus Version Update Result

ClamAV devel-20050501 06.20.2005 Exploit.Helpcontrol

eTrust-Iris 06.19.2005 HTML/HelpControl!Exploit!Trojan

eTrust-Vet 06.20.2005 HTML.HelpControl!exploit

Fortinet 06.20.2005 VBS/Phel.A-trM

Sybari 7.5.1314 06.20.2005 HTML/HelpControl!Exploit!Trojan

The following AV tools detect the Trojan dropped:

Antivirus Version Update Result

AntiVir 06.20.2005 BDS/Haxdoor.CW

Avira 06.20.2005 BDS/Haxdoor.CW

Fortinet 06.20.2005 W32/Haxdor.3048-tr

Kaspersky 06.20.2005

McAfee 4517 06.20.2005 BackDoor-BAC.gen.b

NOD32v2 1.1146 06.20.2005 a variant of Win32/Haxdoor

Sybari 7.5.1314 06.20.2005

Symantec 8.0 06.20.2005 Backdoor.Haxdoor.D

TheHacker 06.20.2005 Backdoor/

VBA32 3.10.3 06.20.2005

I?d prefer to not post further details at this time to avoid false-positives or expose the readers to a real danger.

Update: If one were to do one?s job and follow-up on what Exploit.Helpcontrol really triggered on, a few minutes of effort would finally turn up a link to:
Ahh, such is the dangerous life of a volunteer incident handler, living on the edge of exposing your stupidity and suffering the wrath of readers. :-)

OpenRBL ist Kaput

Visitors to http::// are greeted with a message reporting the demise of this free service. They are reporting that one can find similar services from and

Passive Reconnaissance and the Disaster Response Threat-space

While shopping for a gift for my old man last week, my attention was grabbed by Michal Zalewski?s "Silence on the Wire: a Field guide to Passive Reconnaissance and Indirect Attacks". From a simple flip through it looks like some though-provoking chapters are in there. I picked up a copy?because I can?t resist another book to put on the bookshelf.

Recently, I participated in a disaster response drill with the State and Local Governments simulating a mass casualty accident. While managing my other duties in the drill, I took the opportunity to set up some passive sensors in the response centers to see what a potential attacker could pick-up on when a massive group of first- and second-responders converge on a disaster scene.

Remember to have a nice solstice, wether it be winter or summer in your area.
Remember to send your kind comments to:

Kevin Liston

There were the expected open 802.11x WAPs, but I was pleased to not see a plethora of wide open bluetooth devices full of juicy government contact numbers. This may be simply been caused by a lack of funds by said Governments to equip their staff with spiffy new cell phones though.

Mod_jrun exploits spotted

Ben, a reader, has spotted an up-tick in exploit attempts against mod_jrun on his servers.

And as always, make sure you?ve patched Macromedia Jrun

Solstice Wishes

Remember to have a nice solstice, be it winter or summer in your area!


Kevin Liston
Kevin Liston

292 Posts
ISC Handler
Jun 20th 2005

Sign Up for Free or Log In to start participating in the conversation!