Port 41523/tcp

Port 41523/tcp is still the port to watch today.
http://isc.sans.org/port_details.php?port=41523

The small number of sources indicates that this is likely not a worm, but
a recognizance/target list acquisition operation. An exploit against ARCServe,
which is commonly listening on this port, is easily available.

The Top 10 IPs scanning for this port right now:

+-----------------+-----------+

| IP              | AS Number |

+-----------------+-----------+

| 129.120.055.067 |       589 |

| 066.243.030.084 |     16852 |

| 066.011.128.151 |     11817 |

| 148.245.198.131 |      6503 |

| 062.058.035.115 |     13127 |

| 062.073.174.092 |      2914 |

| 156.054.253.023 |      3269 |

| 217.059.017.034 |      3269 |

| 024.157.087.120 |       812 |

| 195.172.166.182 |      4589 |

+-----------------+-----------+

a more comprehensive list may follow later.

Linux exploit

An exploit was released for the recently discovered local privilege escalation
vulnerabilities. The vulnerability information was released today as well.

Vulnerability details:

http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html

Phishing Name Server

The DNS server 'NS1.SPX2K.com' currently hosts the following domains
CITIFINANCUPDATE.com, SAFE-KEYNET.com, WAMU4U.com, WAMUCORP.com
which appear to be phishing related. The use of actual 'valid' domains
like this opens up the possibility that they are used with SSL certificates.
The whois info for these domains appears to be fake.

New Feature: tcp %

We do get requests, to better differentiate between tcp and udp in our
port reports. One reason we don't do this much is that for most ports, only
udp or tcp is actually used (e.g port 80 is almost exclusively tcp,
However, for some ports this is not so clear. All 'port detail' pages now
include a new column (see the 'raw data' section below the graph) which
shows what % of the reports are TCP. As a sample see port 53:

http://isc.sans.org/port_details.php?port=53

Only about 2% of the traffic reported to DShield on this port is tcp. Of
course, in this case this may be the interesting traffic.

New RSS Feed Test

I am experimenting with a different RSS feed format. To see a preview,
check http://isc.sans.org/rssfeed_new.php and let us know if it works
better/worse for you.

ssh attacks

still the same thing. Brute forcing tons of common usernames. This time,
Neil sent us a log showing about 300 usernames. The best way to report ssh scans
is via DShield. See http://www.dshield.org/howto.php for details.

MSRC Blog

Members of the Microsoft Security Response Center started posting
their own blog at http://spaces.msn.com/members/msrc/ which
includes some nice insights about issues with patches, security
response and neat tools.

-----------------
Johannes Ullrich, jullrich\\;-)//sans.org

CTO SANS Internet Storm Center