Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Skype; Grepping Weblogs; COAST; ISTS News SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Skype; Grepping Weblogs; COAST; ISTS News


Paul wrote about his firewall dropping a "huge amount" of packets after
Skype was installed on a host behind the firewall. He suspected a backdoored
version. Skype, a very popular Voice over IP (VoIP) application, does show
this behavior as a result of its normal operation. As explained here , Skype is a Peer to Peer
application very much like Napster and others. In order to relay the voice data,
it establishes connections with numerous peers, and will relay traffic for these
peers even if you are not "on the phone".

phpBB worms (and awstat exploits)

We continue to receive reports about various phpBB worms. The worms attack
various vulnerabilities, some of them are older. More recent worms will just
check random URLs, not limiting themselves to well known phpBB pages like 'viewfiles'.

awstats, another web application with vulnerabilities released recently, is another favorite.

Here a quick 'grep' result from our own ISC web server:

I am using this line of shell code to extract requests of interest:
cut -d'"' -f2 < access_log | cut -f2 -d' ' | grep ';'

Some highlights:




adding a quick 'sort -u | wc -l ' to the grep above suggests 45
unique attempts. Note that some of the URL hit look like they where
extracted from links found on other sites, and modified to insert
the exploit.


In a past diary, we published excerpts from an offer made by a Spyware/Adware
company. This letter was directed to a game software developer and included
a note that the Adware maker has hopes of obtaining a "COAST Certification".
COAST was originally founded as an anti Spy/Adware organization, but has
come under some scrutiny recently, as reader Robert pointed out. As usual,
buywer beware. Flashy "seals" may not only be just outright fake, but in
some cases you have to look deeper to figure out what they are actually


A couple alert readers noticed that the ISTS news are missing. ISTS changed
its format, and the news will be back as soon as the new parser is working.


Johannes Ullrich,

CTO SANS Internet Storm Center


I will be teaching next: Defending Web Applications Security Essentials - SANS Cyber Security West: March 2021


4068 Posts
ISC Handler
Mar 3rd 2005

Sign Up for Free or Log In to start participating in the conversation!