Combined exploits of MS vulnerabilities, port 1981 increase

Published: 2004-04-17
Last Updated: 2004-04-18 00:43:59 UTC
by Jim Clausing (Version: 1)
0 comment(s)
Possible combined exploits of MS vulnerabilities

It has been a very quiet day, but we are hearing rumors of possible "super" exploits that may target several of the vulnerabilities announced by Microsoft on Tuesday. We've been contacted by an individual who have have been infected such an exploit, but investigation of this is still underway.



Increase in port 1981 activity

There has been an increase in scanning activity targetting port 1981 (possibly Bowl or Shockrave trojan activity, perhaps not) over the last 10 days or so. If anyone has captured any of this activity, we'd like to see the captures.



Yet another signature for sslbomb

We have yet another signature for the sslbomb exploit, some of the earlier ones have been prone to a fair amount of false positives. We'd be interested in how well any of these signatures are working.

alert tcp $EXTERNAL_NET any -> $HOME_NET 443 ( \
msg: "handlers - alpha - SSL DoS Short Client Handshake"; \
content: "|0d06 092a 8648 86f7 0d01 0104 0500 3081|"; depth: 64; \
content: "|0b30|"; distance: 2; \
content: "|0355|"; distance: 2; \
sid: 1090006; rev: 1;)



-------------------------------

Jim Clausing, handler on duty
Keywords:
0 comment(s)

Comments


Diary Archives