Evil Lurks on Porn Sites. Justin sent us a link to a porn site that asks visitors to download and install an executable that contains all of the naughty photos. Boy, were we tempted to download and open that file! Being good incident handlers we remained calm and first ran the executable through one of our favorite scanners. We found it to be just what we expected, a bot variant of some sort. Watch your logs for downloads of "linda.exe" and if you see it then perhaps you got bot.
Workarounds vs Patches. Vinicius sent us a nice note reminding everybody that sometimes we can't immediately patch but that the vendor's workarounds are good security steps to take anyway. He suggests,
I think that we, in general, are too used to say "patch now",
Hopster Signatures. Mike would like to know if anybody has developed any good Snort signatures for Hopster. If so, please send them to us via the contact form and we'll make them available for everybody.
SSH Scans Continue. Sebastian wrote to tell us that SSH scans continue unabated and that one of his customers lost a box to a brute force attack. Many virtual hosting companies are now disabling root logins via SSH, requiring customers to log in with an unprivileged account then su to root when needed. Good advice for anybody with an SSH service running. Find your SSH config file (/etc/sshd.config on many systems) and check to make sure this line appears:
ISC RSS Feed. Thanks to an anonymous reader, we found out that our RSS feed was kaput. It's back up now - http://iscxml.sans.org/rssfeed.xml
More phpBB Issues. Reg worked with a few of our handlers today to solve a recent phpBB issue with one of his servers. Something seems to be amiss with the "admin_forums.php" script and it resulted in a compromise with backdoor. We did some looking around and it seems that others have seen it too:
If you have seen anything like this, please let us know.
Darwin Was Right. For those who don't hang out on Slashdot, there is a very amusing story going around about a young hacker who tried to raid an opponent's computer after being kicked out of a chat channel. Even Paul Harvey mentioned it today in his radio show. The rest of the story is at
Have a great weekend!
Marcus H. Sachs
Handler on Duty
Apr 29th 2005
|Thread locked Subscribe||
Apr 29th 2005
1 decade ago